J. Wang. PC Network Security Theory and Practice. Springer 2009

Presentation Transcript

Section 4 Data Authentication Part II J. Wang. PC Network Security Theory and Practice. Springer 2008

Chapter 4 Outline 4.1 Cryptographic Hash Functions 4.2 Cryptographic Checksums 4.3 HMAC 4.4 Offset Codebook Mode of Operations 4.5 Birthday Attacks 4.6 Digital Signature Standard 4.7 Dual Signatures and Electronic Transactions 4.8 Blind Signatures and Electronic Cash J. Wang. PC Network Security Theory and Practice. Springer 2008

Birthday Attack Basics In a gathering of 23 individuals, the likelihood that there are no less than two people around the same time around the same time is more prominent than 1/2 Proof. The likelihood that none of the 23 individuals has a similar birthday is: Thus, 1 – 0.493 > 1/2 J. Wang. PC Network Security Theory and Practice. Springer 2008

Strong Collision Resistance Complexity Upper Bound J. Wang. PC Network Security Theory and Practice. Springer 2008 Complexity upper bound of breaking solid crash resistance Let H be a cryptographic hash work with yield length l . At that point H will just have at most n = 2 l diverse yields Q: Is 2 l the intricacy upper bound of breaking solid crash resistance? A: No. We can utilize birthday assault to diminish the intricacy to 2 l/2 with more than half achievement rate Birthday Paradox : From a crate of n bundles of various hues, pick k (k<n) balls consistently and autonomously aimlessly and record their hues. On the off chance that then with likelihood no less than 1/2 there is no less than one ball that is picked more than once Complexity upper bound of SHA-1: 2 160/2 = 2 80 ; SHA-512: 2 512/2 = 2 256

Set Intersection Attack Select consistently and autonomously at arbitrary two arrangements of numbers from {1,2,… , n }, with k whole numbers in each set, where k < n What is the likelihood Q ( n , k ) that these two sets converge? The likelihood that these two sets separate is equivalent to Thus, It can be demonstrated that if then J. Wang. PC Network Security Theory and Practice. Springer 2008

Set Intersection Attack Example The set crossing point assault is a type of birthday assaults For instance: Malice may clench hand utilize a honest to goodness archive D to acquire the expert AU's mark Malice then creates another report F that has distinctive implications from D with the end goal that H ( F ) =H ( D ) (Note that there are many traps to discover such a F) Malice utilizes ( F,C ) to demonstrate that F is embraced by AU J. Wang. PC Network Security Theory and Practice. Springer 2008

How to discover Document F? Vindictiveness readies a set S 1 of 2 l/2 unique reports, all having an indistinguishable significance from D. Such reports can be gotten by supplanting a word or an expression in D rethinking sentences in D utilizing distinctive accentuation redesigning the structure of D changing aloof tense to dynamic, or dynamic to detached Malice readies an arrangement of S 2 of 2 l/2 unique records, all having a similar significance of F, and figures J. Wang. PC Network Security Theory and Practice. Springer 2008

Chapter 4 Outline 4.1 Cryptographic Hash Functions 4.2 Cryptographic Checksums 4.3 HMAC 4.4 Offset Codebook Mode of Operations 4.5 Birthday Attacks 4.6 Digital Signature Standard 4.7 Dual Signatures and Electronic Transactions 4.8 Blind Signatures and Electronic Cash J. Wang. PC Network Security Theory and Practice. Springer 2008

Digital Signature Standard (DSS) Digital mark for a message M : Public Key Cryptosystem The best component to deliver an advanced mark for a given record RSA (patent ensured until 2000) ‏ DSS First distributed in 1991 RSA and ECC were incorporated into DSS after 2000 Generate computerized marks just, not scramble information J. Wang. PC Network Security Theory and Practice. Springer 2008

Construction of DSS H : SHA-1 (160 piece) ‏ L : 512 < L < 1024 Parameters: P : prime number; 2 L – 1 < p < 2 L q : a prime variable of p – 1 ; 2 159 < q < 2 160 g : g = h ( p – 1)/q mod p ; 1 < h < p – 1, g > 1 J. Wang. PC Network Security Theory and Practice. Springer 2008

DSS Signing Alice needs to sign a message M Picks aimlessly a private key, 0 < x A < q Computes open key: y A = g xA mod p Picks indiscriminately a whole number: 0 < k A < q r A = ( g kA mod p ) mod q k A – 1 = k A q – 2 mod q s A = k A – 1 ( H ( M )+ x A r A ) mod q M 's computerized signature: ( r A , s A ) J. Wang. PC Network Security Theory and Practice. Springer 2008

DSS Signature Verification Bob gets ( M', ( r A ', S A ') ‏ ) and CA [ y A ] Obtains Alice's y An utilizing CA's K CA u to decode CA[ y A ] Verifies Alice's advanced mark: w = ( S A ') – 1 mod q = ( S A ') q – 1 mod q u 1 = ( H ( M ') w ) mod q u 2 = ( r A " w ) mod q v = [( g u 1 y A u2 ) mod p ] mod q If v = r A " then the mark is confirmed J. Wang. PC Network Security Theory and Practice. Springer 2008

Security Strength of DSS J. Wang. PC Network Security Theory and Practice. Springer 2008 Rests on the quality of SHA-1 and the trouble of explaining discrete log The multifaceted nature of breaking the solid crash resistance of SHA-1 has as of late been decreased from 2 80 to 2 63 Breaking the impact resistance is harder Intractability of discrete log guarantees that it is hard to figure k An or x A from r An and s A

Chapter 4 Outline 4.1 Cryptographic Hash Functions 4.2 Cryptographic Checksums 4.3 HMAC 4.4 Offset Codebook Mode of Operations 4.5 Birthday Attacks 4.6 Digital Signature Standard 4.7 Dual Signatures and Electronic Transactions 4.8 Blind Signatures and Electronic Cash J. Wang. PC Network Security Theory and Practice. Springer 2008

Alice (client) ‏ Bob (dealer) ‏ Alice needs bounce to follow up on Purchase Order ( I 1 ) ‏ Alice must send installment data to Charlie ( I 2 ) ‏ Bob will attend to installment affirmation from Charlie. Charlie (broker) ‏ Dual Signatures and Electronic Transactions J. Wang. PC Network Security Theory and Practice. Springer 2008

Dual Signatures We don't need Bob to see I 2 and Charlie to see I 1 (for better security) Charlie ought not send I 2 to Bob before Bob gets I 1 I 1 and I 2 ought to be connected (this keeps division of an installment from a request) All messages must be validated and scrambled (No valuable data is listened stealthily, adjusted, or manufactured) J. Wang. PC Network Security Theory and Practice. Springer 2008

Dual Signature An intuitive verification convention for electronic exchanges Provides security and security insurances Has been utilized as a part of SET (Secure Electronic Transactions), planned by Visa and MasterCard in 1996 yet has not been utilized as a part of practice Requires Alice, Bob, and Charlie concede to a hash work H and a PKC encryption calculation E Each of Alice, Bob, and Charlie should each have a RSA scratch combine: ( K A u , K A r ), ( K B u , K B r ), ( K C u , K C r ) J. Wang. PC Network Security Theory and Practice. Springer 2008

SET: Alice Calculates the accompanying qualities: Sends ( s B , s C , ds ) to Bob. Sits tight for a receipt R B = from Bob Decrypts R B utilizing K A r to get and confirms Bob's mark utilizing K B u to get R B J. Wang. PC Network Security Theory and Practice. Springer 2008

SET: Bob Verifies Alice's mark; i.e. Contrasts and Decrypts Forwards ( s B , s C , ds ) to Charlie Waits for Charlie's receipt R C = ‏ Decrypts R C utilizing K B r to get and confirms Charlie's mark utilizing K C u to get R C Sends a marked receipt R B = to Alice J. Wang. PC Network Security Theory and Practice. Springer 2008

SET: Charlie Verifies Alice's mark; i.e. Contrasts and Decrypts If I 2 contains legitimate installment data, then execute the best possible installment exchange and send a receipt R C = to Bob J. Wang. PC Network Security Theory and Practice. Springer 2008

Chapter 4 Outline 4.1 Cryptographic Hash Functions 4.2 Cryptographic Checksums 4.3 HMAC 4.4 Offset Codebook Mode of Operations 4.5 Birthday Attacks 4.6 Digital Signature Standard 4.7 Dual Signatures and Electronic Transactions 4.8 Blind Signatures and Electronic Cash J. Wang. PC Network Security Theory and Practice. Springer 2008

Blind Signatures A method to carefully sign a record without uncovering the report to the endorser The archive to be marked is consolidated with a visually impaired element , which keeps the underwriter from perusing the archive however can later be expelled without harming the mark J. Wang. PC Network Security Theory and Practice. Springer 2008

Blind Signatures with RSA Randomly create r < n (the visually impaired element) to such an extent that gcd( r , n ) = 1 Let M r = M r e mod n Signer signs M r and acquires s r = M r d mod n The visually impaired element r can be expelled as takes after: s M = ( s r – 1 ) mod n = M d mod n J. Wang. PC Network Security Theory and Practice. Springer 2008

Proof The visually impaired component is expelled as s M = ( s r – 1 ) mod n = ( M d r ed r – 1 ) mod n Since ed ≡ 1 mod ф ( n )) r ed ≡ r mod n (Fermat's little hypothesis) We have s M = M d mod n J. Wang. PC Network Security Theory and Practice. Springer 2008

Electronic Cash Real money has the accompanying key properties: Anonymous Can change hands Can be separated into littler values Hard to fake Can those properties be copied with some kind of