ee579t/4 #1 spring 2003 © 2000-2003, richard a. stanley wpi ee579t / cs525t network security 4:...

Spring 2003© 2000-2003, Richard A. Stanley

WPI EE579T/4 #1

EE579T / CS525TNetwork Security

4: Authentication, PGP

Prof. Richard A. Stanley


WPI EE579T/4 #2

Overview of Tonight’s Class

• Review of last week’s class

• Authentication

• Pretty Good Privacy


WPI EE579T/4 #3

Last class ...• RSA is an asymmetric key algorithm useful for

transmitting secrets, i.e. for encryption rather than key exchange (as Diffie-Hellman)

• RSA not the only such algorithm, but it is the most widely used, especially as patents are now expired

• Hash functions provide a way to do a one-way integrity computation on a variable length input

• Combining D-H, RSA, and hashing, we have all the tools needed to provide confidentiality, integrity, and authenticity


WPI EE579T/4 #4

Basic Cryptographic AuthenticationAlice Bob

Select random n

Encrypt n with own private key

n

E(n)Decrypt E(n) w/Bob’s

public keyD[E(n)] = n ?

If yes, Bob is authenticated

This system is known as challenge / response authentication


WPI EE579T/4 #5

Challenge / Response Under the Microscope

• What does this exchange really tell Alice?– Does she know who Bob is?– Can she be sure she is really connected to Bob?– Why?– Why not?

• We need a better way to do this


WPI EE579T/4 #6

RSA to the Rescue?

• Consider this possibility– Generate a message– When finished, encrypt the message with your

private key – Send the message to the intended recipient– Recipient decrypts the message using your public

key– If message decrypts, recipient assumes you sent

it, and you are therefore authenticated


WPI EE579T/4 #7

Flaws In This Scheme?

• What does it prove if you can decrypt a message encrypted with someone’s private key?

• What if Alice and Bob don’t know one another before this communication?– What is the basis for trust?– How is trust established?

• We’ll come back to this later


WPI EE579T/4 #8

Remember the Hash Function

Source: RSA Laboratories, Inc.


WPI EE579T/4 #9

Back to Our Message

• Suppose we take the message text and hash it, producing a message digest

• Now we encrypt the hash with our private key, and append this to the end of the message

• This is called a digital signature

• It is not necessary that the message body be encrypted for it to be digitally signed.


WPI EE579T/4 #10

At the Other End...

• Recipient gets our message, and decrypts the message digest we encrypted with our private key, using our public key

• Recipient now has the message digest in cleartext

• Recipient computes the message digest over the text of the message

• If the two hashes match, the message has not been changed and it is authentic


WPI EE579T/4 #11

IF...

• We can be certain that the private key used to encrypt the message digest does, in fact, belong to the person we think it does

• This requires a trust relationship so that we can have some assurance of who owns that private key

• There are two types of trust mechanisms


WPI EE579T/4 #12

Web of Trust

Alice

Bob

Existing trust relationship

CarolExisting trust relationship

Derived trust relationship:Bob trusts Alice, and Alice trusts Carol,so Bob trusts Alice to introduce Carol and then Bob trusts Carol


WPI EE579T/4 #13

Web of Trust Issues

• Peer-to-peer approach• Does not deal nicely with third-level and higher

unknowns– Does Bob trust Carol to introduce Don?

– How about Earl, whom none of the above know?

• Is it usable?– Yes -- this is the model used by PGP

• Does it scale nicely?– No -- scales exponentially


WPI EE579T/4 #14

Hierarchy of Trust

Trust

A

B C

D E F

Root

B, C trust AD, E, F trust BF also trusts C

So, ALL trust ABUT, D, E do not trust C


WPI EE579T/4 #15

Issues

• How do we know A is trustworthy?– Because A says so!

• What are the criteria for establishing trust relationships?

• Is this useful for extending trust to entities previously unknown to you?

• Does it scale?– Yes, linearly


WPI EE579T/4 #16

Hierarchy is the Basis for X.500 Directory Services

• X.500 begun as the answer to harmonizing telephone directories all over the world– At its root, X.500 is a database specification– Basic implementation is the Directory Access

Protocol, DAP, which is rather “chatty”– This led, in turn, to the Lightweight Directory

Access Protocol, LDAP

• X.509 developed as way of implementing hierarchical trust structures


WPI EE579T/4 #17

Enter the Certification Authority

• A Certification Authority (CA) is a trusted third party who issues Digital Certificates that bind a user to that user’s public key– The CA digitally signs the digital certificate, so

that any changes (such as substituting another public key) will be obvious

– The CA has no knowledge of the user’s private key


WPI EE579T/4 #18

Digital Signatures in General

Message

MD

Encrypt w/sender’sprivate key

Digital SignatureCreation

Decrypt w/sender’spublic key

Message

MD

ComputeMD

=? No

Yes

Bogus

Authentic

Digital SignatureVerification


WPI EE579T/4 #19

Digital Certificates

• Clearly, for this to work, all parties must use the same format for the certificates

• The most popular (but not the only) standard in current use is X.509 v3

• An X.509 certificate has a fixed format, and contains certain mandatory items, in a prescribed order, so it is easy for a computer to scan and verify


WPI EE579T/4 #20

X.509 Certificate Contents• Version

• Serial number

• Signature algorithm identity

• Name of issuing CA

• Period of validity (not before - not after)

• Subject name to whom certificate refers

• Subject’s public key

• Subject distinguished name (X.500)

• Extensions (added in X.509 v3)

• Digital signature over the entire certificate


WPI EE579T/4 #21

Uses for Certificates

• Anyone can obtain the digital certificate for anyone else with whom they wish to conduct secure communications, whether or not they have a previous relationship

• The CA attests that the public key in the certificate is really the public key of the subject named in the certificate. You know who you are talking to! (Or do you?)

• This greatly facilitates electronic commerce


WPI EE579T/4 #22

More Issues With CA’s

• How do you trust the CA?• Who guarantees the “goodness” of the top of

the hierarchy?• What are the liability issues?• Does this really guarantee you know who’s

who in the digital world?• The hierarchy of CAs is called the Public Key

Infrastructure


WPI EE579T/4 #23

Where Do the Certificates Come From?

• So-called root certificates are pre-loaded on web clients for use by average folks

• If you are presented with a certificate for which you have a root certificate on your machine, then that certificate is checked and you are told if there are any problems such as the certificate being expired, etc.

• You then choose what to do


WPI EE579T/4 #24

Trust?

• Because the certificates are pre-loaded by the web client maker, you are actually trusting Microsoft or Netscape

• You can customize the set of certificates in any web client, provided that the client has not itself been customized to prevent that.– It is common to put custom browsers on desktops

to prevent users taking liberties with system settings, adding certificates, etc.


WPI EE579T/4 #25

Putting it all together

• Up to now, we have seen how the pieces are created to perform certain cryptographic functions.

• How can these things be integrated to make a system that does something useful?

• One such system that we can examine is PGP.


WPI EE579T/4 #26

Pretty Good Privacy (PGP)• Arguably, the first quality crypto system, not

developed by or for a government, that is available to non-government entities

• Developed by Phil Zimmerman– When developed, held to violate the Munitions Act

which barred export of encryption

– U. S. Government brought charges against Mr. Zimmerman, which were ultimately dropped

• Available worldwide, free over Internet


WPI EE579T/4 #27

PGP

• Versions available for most OS’s

• Algorithms have passed extensive public review, considered extremely secure

• Wide applicability

• Developed outside of any governmental agencies– In fact, drew (and continues to draw) the wrath

of many governments


WPI EE579T/4 #28

Availability

• Network Associates was offering a commercial version of PGP, using the Red Hat/Linux model of adding value– This business unit was discontinued mid-2002– Commercial version finally sold, but its future

is in doubt

• Freeware version continues to be available over the Internet, together with source code


WPI EE579T/4 #29

Algorithms Supported• Symmetric encryption

– CAST-128– IDEA– TDEA (3 key, 168 bits)

• Asymmetric encryption– RSA– DSS (Digital Signature Standard)– El Gamal

• Hashing– SHA-1


WPI EE579T/4 #30

PGP Functions

• Digital signature• Message confidentiality• Data compression• E-mail compatibility

– Only sends ASCII characters– cf. Kermit

• Internet / email message size compatibility– Segmentation of large messages


WPI EE579T/4 #31

PGP Digital Signature

• Hash message using SHA-1

• Encrypt hash with RSA using sender’s private key

• Prepend encrypted hash to message

• Recipient decrypts hash with sender’s public key

• Generates new hash, compares with decode– Message authentic if match


WPI EE579T/4 #32

PGP Digital Signatures

Message

SHA-1

Encrypt w/sender’sprivate key

Digital SignatureCreation

Decrypt w/sender’spublic key

Message

SHA-1

ComputeSHA-1

=? No

Yes

Bogus

Authentic

Digital SignatureVerification

RSA*

RSA*

* Alternatively, DSS (FIPS PUB 186)


WPI EE579T/4 #33

PGP Signature Features

• Choice of two encryption algorithms– RSA– DSS (Digital Signature Standard, FIPS 186)

• Signatures can be detached from message– Facilitates separate signature log– Signature can be virus check on executable– Enables multiple signatures on single message

without nesting the signatures (e.g., contracts)


WPI EE579T/4 #34

PGP Encryption Options

• Uses one of these symmetric systems– TDEA with three keys (you know this one)– CAST-128– IDEA

• Sender generates session key

• RSA used to encrypt session key, which is prepended to the encrypted message


WPI EE579T/4 #35

IDEA

• International Data Encryption Algorithm– By Xuejia Lai and James Massey, Swiss

Federal Institute of Technology, 1991– Feistel cipher, well-reviewed

• Eight rounds

• No S-boxes in round function– XOR, binary addition and multiplication (16-bit integers)

• Complex subkey generation using circular shifts– Six subkeys for each round


WPI EE579T/4 #36

CAST-128 Cipher• Carlisle Adams & Stafford Tavares, 1997

– IETF RFC 2144 defines– Key size: 40, 48, 56,…,128 bits– Extensive review, becoming fairly common– Feistel cipher

• Fixed S-boxes, larger than DES

• S-boxes designed to be nonlinear, resistant to cryptanalysis

• Subkeys also generated by nonlinear processes

• Round function varies from round to round


WPI EE579T/4 #37

PGP Confidentiality

• Sender generates random 128-bit number as session key for this message only

• Message encrypted with session key• Session key encrypted with recipient’s public

key, and prepended to message• Recipient decrypts session key with

recipient’s private key• Uses session key to decrypt message


WPI EE579T/4 #38

Options

• Can use RSA or El Gamal to encrypt session key

• Key sizes– 768 to 3072 bits– DSS signatures fixed at 1024 bits

• Confidentiality and authentication can be combined in a single message– A very good idea!


WPI EE579T/4 #39

Authenticated Secure Message

• Sender signs message with own private key

• Sender generates session key and encrypts message with the session key

• Sender encrypts session key with recipient’s public key


WPI EE579T/4 #40

Compression

• PGP was targeted at email, so compression is an important feature

• Compression (ZIP) applied after signature, but before encryption of message body– Ensures same signature despite compression

• Compressed message is encrypted– Less redundancy than original, so cryptanalysis

harder


WPI EE579T/4 #41

Compatibility• After encryption, message contains stream of

arbitrary binary octets• Some email systems permit transmission of only

ASCII text• PGP provides option to convert data stream to

blocks of ASCII text for compatibility– 3 octets become 4 ASCII characters

– Known as Radix-64 conversion

– Expands size by 33% (because 3 become 4)


WPI EE579T/4 #42

Radix-64 Conversion

• Straightforward mapping of binary 6-bit values into printable ASCII characters– no hyphen, no control characters

• Expands input by 33%, but ZIP still provides about 33% overall compression

• Even if input is ASCII, conversion will be done if selected, which provides primitive level of confidentiality absent encryption


WPI EE579T/4 #43

Segmentation

• Some systems limit the size of messages, often to about 50K octets

• PGP provides a built-in service to segment messages into parts small enough to transit the system, and then to reassemble the message properly at the destination for presentation to the recipient

• Much like packet assembly / disassembly


WPI EE579T/4 #44

PGP Keys

• Four types– One-time session keys– Public keys– Private keys– Passphrase-based keys

• User may desire multiple public/private key pairs– How does recipient know which one was used?


WPI EE579T/4 #45

Key Identifiers

• So that recipient knows which public key was used, a key ID is transmitted with the message– Key ID = least significant 64 bits of the public

key• Avoids wasted BW if entire public key were sent

• Very low probability of duplicate key Ids


WPI EE579T/4 #46

Key Rings

• Simply tables of private and public keys, where each row represents one key pair– Can be indexed by user ID or key ID

• Private key not stored in clear in key ring– Encrypted using CAST-128, etc.– Passphrase used to access private-key ring

• Passphrase is hashed with SHA-1

• First 128 bits used to encrypt private key


WPI EE579T/4 #47

Key Management

• PGP uses the Web of Trust key management model– Therefore, you must trust someone else to sign a third

party’s key

– Provides for partial levels of trust• Difficult--is someone 40% trusted or 62%?

• What does this mean in practice?

– How to deal with wholly unknown third parties?

• PGP proponents dismiss these concerns, but they are serious issues for e-commerce, etc.


WPI EE579T/4 #48

PGP Web of Trust

Trust

You

B C

D E F

You trust CYou partially trust B

B trusts, D, E, FC trusts F

So, you trust C to sign for FBUT, you partially trust B to

sign for D, E, FWhat does this mean?


WPI EE579T/4 #49

Digital Signatures Summary

• Combining hashing algorithms and asymmetric cryptography, we can digitally sign a message

• A digitally signed message can, under certain conditions, assure both the integrity of the contents and the authenticity of the sender

• Trust relationships are necessary to extend this concept. Digital certificates can be used within a trust relationship to validate the public key belonging to a user. The most common such system is X.509 v3


WPI EE579T/4 #50

PGP In Summary• Illustrates the combination of symmetric and

asymmetric crypto to create a system

• Very good cryptosystem, providing confidentiality, authentication, and features to make it compatible with email

• Despised by governments worldwide, and subject to legal restrictions in many places

• Complex key management scheme that does not scale well to large systems where parties previously unknown need services


WPI EE579T/4 #51

Homework

• Read Stallings, Chapter 5.1, Chapter 6, on IPSec

• Do Stallings, Problems 4.3, 4.4, 5.1, 5.2, 5.4

ee579t/4 #1 spring 2003 © 2000-2003, richard a. stanley wpi ee579t / cs525t network security 4:...

Documents

stanley slide

message digest

message decrypts

message text

message body

stanley wpi rsa

stanley wpi flaws

stanley wpi challenge