KEAMANAN INFORMASI DAN JARINGAN CRYPTO

(1)

MADIS SARALITA – 5112100038 Keamanan Informasi dan Jaringan (C)

PART 3 : CRYPTOGRAPHIC

DATA INTEGRITY ALGORITHMS

CHAPTER 11 CRYPTOGRAPHIC HASH FUNCTIONS

CHAPTER 12 MESSAGE AUTHENTICATION CODES

CHAPTER 13

(2)

(3)

CHAPTER 11 CRYPTOGRAPHIC HASH FUNCTIONS

Hash function is labeled by H. H has input a variable-length block of ata M and the

output is a fixed-size hash value h = H(M). The puprose of a hash function is data integrity.

Cryptographic hash function is an algorithm that can solve infeasible computational. Because

of that, hash function are often used to determine data changes.

11.1 APPLICATIONS OF CRYPTOGRAPHIC HASH FUNCTIONS

Message Authentication

Message authentication is a system to verify integrity of message. It ensures that message received are real and contain no modification. In message authentication, the hash function have value that is referred as message digest. Some method do not provide encrypt system because :

 Encryption software is relatively slow.

 High costs for encryption hardware.

 Encryption hardware is not optimized for small blocks of data.

 Cost for the licensed encryption algorithms.

Message Authentication Code (MAC) is the most commonly function of message authentication. It also known as a keyed hash function which are used to authenticate information exchanged between two parties.

Digital Signatures

Digital signature is a system that is simiar to MAC. Hash value in this system is encrypted with a user’s private key.If anyone know the user’s public key, the message can be verified. This is step how a hash code provide digital signature:

 The hash code is encrypted using public key encryption with the sender’s private key.

 Then, the message plus the private key encrypted hash code can be encrypted using a symmetric secret key.

Other Applications

 Hash function are commonly purposed to make a one-way password file.

 Hash function can be used for intrusion detection.

 Hash function also can be used for virus detection.

 Pseudorandom Function (PRF) or a Pseudorandom Number Generator (PRNG) can be constructed by a cryptogrpahic hash function.

11.2 TWO SIMPLE HASH FUNCTIONS

(4)

That operation will produce a simple parity for each bit position. It also known as a longitudinal redundancy check.

Other simplest hash function is using rotated XOR(RXOR). This procedure has effect to randomize the input more completely. Message M that is consists of a sequence of 64-bit block define hash code by

Then, the message plus hash code is encrypted using CBC mode to produce encrypted message.

But XN+1 is the hash code :

The hash code would not change if the ciphertext blocks were permuted.

11.3 REQUIREMENTS AND SECURITY

Security Requirements for Cryptographic Hash Functions

h = H(x)

x is the preimage of h which is consist of data block. Because H is a many-to-one mapping, a collision occurs if we have x ≠ y and H(x) = H(y). This collisions are clearly undesirable.

Requirements for a Cryptographic Hash Function H :

 Variable input size

 Fixed output size

 Efficiency

 Preimage resistant (one-way property)

 Second preimage resistant (weak collision resistant)

 Collision resistant (strong collision resistant)

 Pseudorandomness

(5)

Brute-Force Attacks

 Brute-force attack depend only on bit length of the hash value.

 Brute-force attack does not depend on the specific algorithm.

 Hash function resistance properties required for various data integrity applications

Cryptanalysis

 Cryptanalytic on hash function attack by exploiting some property of the algorithm.

 Ideal hash algorithm require more effort than or equal to the brute-force effort.

 The hash algorithm use a compression function repeatedly.

 The function takes two inputs, chaining variable and a b-bit block.

 The function produces an n-bit output.

 The hash function can be summarized as

 Cryptanalytic attacks focuse on the internal structure of the compression function.

(6)

11.4 HASH FUNCTIONS BASED ON CIPHER BLOC K CHAINING

Based on CBC, hash function divide a message M into fixed size blocks and use a symmetric encryption system to compute the hash code G as

 The differences is no secret key in this case.

 Step of the algorithm :

o Calculate the unencrypted hash code G.

o _{Construct any desired message in the form Q}₁_{, Q}₂_{, . . . , Q}_N-2_. o _{Compute H}i = E(Qi, Hi-1) for 1 ≤ i ≤ (N-2).

o Generate random blocks.

o Based on the birthday paradox, with high probability there will be an X and Y such that E(X, HN-2) = D(Y, G).

o _{Form the message Q}1, Q2, . . . , QN-2, X, Y. This message has the hash code that can be

used with the intercepted encrypted signature.

11.5 SECURE HASH ALG ORITHM (SHA)

Secure Hash Algorithm (SHA) is the most widely used hash function.

SHA-512 Logic

 Has input a message with maximum length is less than 2128_bits.

 The input is processed in 1024-bit blocks.

 Produce output a 512-bit message digest.

 Comparison of SHA Parameters

 Step of the algorithm : o _{Append padding bits.} o Append length. o Initialize hash buffer.

o _{Process message in 1024-bit (128-word) blocks.} o _Output.

(7)

SHA-512 Round Function

 Each round is defined by the following set of equations :

 The remaining values are defined as :

11.6 SHA-3

Beyond on the basic requirements, NIST has defined a set of evaluation criteria that are designed to include digital signatures, hashed message authentication codes, key generation, and pseudorandom number generation. It is known as SHA-3.

 SHA-3 algorithms are designed to resist any potentially successful attack on SHA-2 functions.

 SHA-3 should be efficient over a range of hardware platforms (time and memory).

 SHA-3 is more flexible.

Pertanyaan :

Berdasarkan sumber yang saya baca di internet, ketika menggunakan SHA12, ditambahkan sejumlah bit pengganjal sehingga panjang pesan kongruen dengan 896 mod 1024. Bagaimana caranya untuk meng-kongruen-kan pesan tersebut? Dan mengapa harus kongruen dengan 896 mod 1024?

SOURCE

(8)

(9)

CHAPTER 12 MESSAGE AUTHENTICATION CODES

12.1 MESSAGE AUTHENT ICATION REQUIREMENTS

 Disclosure

Release content of message to any person or process that do not have appropriate cryptographoc key.

 Traffic analysis

Discovery the pattern of traffic.

 Masquerade

Modify the message into the network from an authorized source.

 Content modification

Changes contents of a message.

 Sequence modification Modify sequence of message.

 Timing modification Delay or replay of message

 Source repudiation

Message transmision is denied by souce.

 Destination repudiation

Message receipt is denied by destination.

12.2 MESSAGE AUTHENT ICATION FUNCTIONS

Types of functions that may be used to produce an authenticator :

 Hash function

 Message encryption

 Message authentication code (MAC)

Message Encryption

Symmetric Encryption

 Symmetric encryption provides authentication as well as confidentiality.

 It may be difficult to determine if incoming ciphertext decrypts to intelligible plaintext.

 The solution is by forcing the plaintext to have some structure that is easily recognized.

 The plaintext could not be replicated without resource to the encryption function.

 With internal error control, authentication is provided to complicate producing of ciphertext which have valid error control bits when decrypted.

Public-Key Encryption

 Public-key encryption is used to provide confidentiality.

 Public-key encryption can not used to provide authentication.

(10)

 To provide both confidentiality and authentication, sender can encrypt the message first using its private key which provides the digital signature, then using receiver public key which provides confidentiality.

 The disadvantages is complexity of the public-key algorithm.

Message Authentication Code

Message Authentication Code (MAC) also known as cryptographic checksum is an alternative technique of autentication that use a secret key to generate a small fixed-size block of data.

MAC function

 MAC algorithm need not be reversible.

 MAC function is a many-to-one function.

 In the first case, MAC is calculated with the message as input, and them the entire block is encrypted.

 In the second case, the message is encrypted first, then MAC is calculated using the result of ciphertext.

 MAC does not provide a digital signature because both sender and receiver share the same key.

12.3 REQUIREMENTS FOR MESSAGE AUTHENTICATION COD ES

Consider the following MAC algorithm. Let M = (X1 || X2 || . . . || Xm) be a message that is

treated as a concatenation of 64-bit blocks Xi .Then define

The opponent can attack the system by replacing X through Y which is calculated as

 If an opponent observes M and MAC(K,M), it should be computationally infeasible for the opponent to construct a message M’ such that MAC(K, M’) = MAC(K, M).

 MAC(K, M) should be uniformly distributed in the sense that for randomly chosen messages, M and M’, the probability that MAC(K, M) = MAC(K,M’) is 2-n_{,where n is}

the number of bits in the tag.

(11)

12.4 SECURITY OF MAC S

Brute-Force Attacks

Brute-force attack on MAC is more difficult than on a hash function because it requires known message-tag pairs. If an attacker can determine the MAC key, so a valid MAC value is possible generated for any input x. And if more than one key is found, so additional text-tag pairs must be tested.

Attacker can also work without attempting to recover the key. The objective is to find a message that matches a given tag. The attack cannot be conducted off line without further input. So, the attacker will require chosen text-tag pairs.

Cryptanalysis

 Cryptanalysis attacks on MAC by complicating some property of algorithm.

 An ideal MAC algorithm will require more effort than or equal to the brute-force effort.

 The structure of MACs is more variety than in hash function, so it is difficult to generelize about the cryptanalysis of MACs.

12.5 MACS BASED ON HASH FUNCTIONS:HMAC

Cryptographic hash functions such as MD5 and SHA is faster than symmetric block ciphers such as DES when executed in software. And there are many library code for cryptographic hash functions can be used.

HMAC Design Objectives

The objectives for HMAC

 To make hash function perform well and the code is freely available.

 To make replaceability of the hash function easily.

 To keep the original performance of the hash function,

 To solve the key by simple way.

(12)

HMAC Algorithm

Picture above is the HMAC structure. Then, HMAC can be expressed as

 H is a cryptographic hash function,

 K is a secret key padded to the right with extra zeroes to the input block size of the hash function, or the hash of the original key if it's longer than that block size,

 m is the message to be authenticated,

 | denotes concatenation,

 _⊕ denotes exclusive or (XOR),

 opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),

 ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).

Security of HMAC

The cryptographic strength of the HMAC depends upon the size of the secret key that is used. The most common attack against HMACs is brute force to uncover the secret key. HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.

(13)

12.6 MACS BASED ON B LOCK CIPHERS: DAA AN D CMAC

Data Authentication Algorithm

The Data Authentication Algorithm (DAA) is an older algorithm that used for producing cryptographic message authentication codes. According to the standard, a code produced by the DAA is called a Data Authentication Code (DAC). The algorithm chain encrypts the data, with the last cipher block truncated and used as the DAC.

Cipher-Based Message Authentication Code (CMAC)

CMAC (Cipher-based Message Authentication Code) is a block cipher-based message authentication code algorithm. It may be used to provide assurance of the authenticity and the

depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible degree-b binary polynomial with the minimal number of ones.)

3. If msb(k1) = 0, then k2 = k1≪ 1, else k2 = (k1≪ 1) ⊕C.

4. Return keys (k1, k2) for the MAC generation process.

12.7 AUTHENTICATED E NCRYPTION: CCM AND GCM

Four common approaches to providing both confidentiality and encryption for a message :

 HtE: Hash-then-encrypt

 MtE: MAC-then-encrypt

 EtM: Encrypt-then-MAC

 E&M: Encrypt-and-MAC

Counter with Cipher Block Chaining-Message Authentication Code

CCM is a variation of the encrypt-and-MAC. It approach to authenticated encryption. The input to the CCM encryption process consists of three elements :

 Data that will be both authenticated and encrypted.

 Associated data A that will be authenticated but not encrypted.

 A nonce N that is assigned to the payload and the associated data.

(14)

Galois/Counter Mode

Galois/Counter Mode (GCM) is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance. GCM throughput rates for state of the art, high speed communication channels can be achieved with reasonable hardware resources. It is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128 bits.

The authentication tag is constructed by feeding blocks of data into the GHASH function, and encrypting the result. This GHASH function is defined by

where variable of Xi is defined as

GCM is ideal for protecting packetized data, because it has minimum latency and minimum operation overhead.

12.8 PSEUDORANDOM NUMBER GENERATION USING HASH FUNCTIONS AND MACS

PRNG Based on Hash function

The algorithm need input:

V = seed

Seedlen = bit length of V ≥ k + 64, where k is a desired security level expressed in bits n = desired number of output bits

(15)

PRNG Based on MAC function

Higher degree of confidence can be achieved by using a MAC. A MAC-based PRNG is constructed with HMAC. This is because HMAC is widely implemented in many protocols and applications.

There are two inputs in MAC function, a key K and a seed V. The combination of K and V will make overall seed for the PRNG specified. If we assume that HMAC is secure, knowledge of the input and output should not be sufficient to recover K and hence not sufficient to predict future pseudorandom bits.

Pertanyaan :

Dalam HMAC, ketika pengirim mengirim hashing, dia juga mengirim hashing key. Ketika hasing dan hashing key ini digabung maka akan membentuk suatu nilai baru. Apa fungsi nilai yang dihasilkan ini?

SOURCE

W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice Hall, 2011.

http://en.wikipedia.org/wiki/Hash-based_message_authentication_code diakses pada 27 April 2015

http://en.wikipedia.org/wiki/Data_Authentication_Algorithm diakses pada 27 April 2015

http://en.wikipedia.org/wiki/CMAC diakses pada 27 April 2015

(16)

(17)

CHAPTER 13 DIGITAL SIGNATURES

13.1 DIGITAL SIGNATURES

Properties

Picture above is generic model of digital signature process. The digital signature must have the following properties :

 The author and the date and time of the signature must be verified.

 The contents at the time of the signature must be authenticated.

 Must be verifiable by third parties, to resolve disputes.

Attacks and Forgeries

 Key-only attack: A’s public key is known by C.

 Known message attack: A set of messages and signatures are given to C.

 Generic chosen message attack: C chooses a list of messages before break A’s signature scheme.

 Directed chosen message attack: Similar to the generic attack, but the list of messages is chosen after C knows A’s public key but before any signatures are seen.

(18)

Digital Signature Requirements

 The signature must be a bit pattern.

 The signature must use unique information.

 Can produce the digital signature easily.

 Can recognize and verify the digital signature easily.

 Computationally infeasible.

 Can retain a copy of the digital signature.

Direct Digital Signature

Commonly, the term of direct digital signature is dependent with the only communicating parties. By encrypting the entire message plus signature with a shared secret key (symmetric encryption), confidentiality is ensured.

13.2 ELGAMAL DIGITAL SIGNATURE SCHEME

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms.

 Let H be a collision-resistant hash function.

 Let p be a large prime such that computing discrete logarithms modulo p is difficult.  Let g < p be a randomly chosen generator of the multiplicative group of integers modulo p .

These steps are performed once by the signer.

Signature generation

To sign a message m the signer performs the following steps.

 Choose a random k such that 1 < k < p− 1 and gcd(k, p− 1) = 1.  Compute

 Compute

 If s = 0 start over again.

Then the pair (r,s) is the digital signature of m. The signer repeats these steps for every signature.

Verification

A signature (r,s) of a message m is verified as follows.  0 < r < p and 0 < s < p - 1.



(19)

Correctness

The algorithm is correct in the sense that a signature generated with the signing algorithm will always be accepted by the verifier.

The signature generation implies

Hence Fermat's little theorem implies

13.3 SCHNORR DIGITAL SIGNATURE SCHEME

In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature algorithm. Its security is based on the intractability of certain discrete logarithm problems. The Schnorr signature is considered the simplest digital signature scheme to be provably secure in a random oracle model. It is efficient and generates short signatures.

The first scheme is generate a private/public key pair by this following steps.

1. Choose primes p and q, such that q is a prime factor of p-1. 2. Choose an integer a, such that αq_{= 1 mod p.}

3. Choose a random integer s with 0 < s < q. 4. Calculate v = a-s_.

And then a user with private key s and public key v generates a signature :

1. Choose a random integer r with 0 < r < q and compute x = ar_{mod p.}

2. Concatenate the message with x and hash the result to compute the value e : e = H(M||x)

3. Compute y = (r + se) mod q.The signature consists of the pair (e, y).

Any other user can verify the signature as follows.

1. Compute x’ = ay_ve_{mod p.}

2. Verify that e = H(M||x’).

To see that the verification works, observe

13.4 DIGITAL SIGNATUR E STANDARD

The DSS Approach

 Designed to provide only the digital signature.

 DSS cannpt be used for encryption or key exchange.

 DSS uses a public-key technique.

(20)

 The signature function depends on the sender’s private key.

 With knowledge of the private key, the signature function could have produced the valid signature.

The Digital Signature Algorithm

This is the algorithm

With DSA, the entropy, secrecy, and uniqueness of the random signature value k is critical. It is so critical that violating any one of those three requirements can reveal the entire private key to an attacker. Using the same value twice (even while keeping k secret), using a predictable value, or leaking even a few bits of k in each of several signatures, is enough to break DSA.

Pertanyaan :

Dalam DSA, jika proses signature generation mneghasilkan nilai s = 0, mengapa dihasilkan nilai baru k dan tanda tangannya harus dihitung ulang?

SOURCE

W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice Hall, 2011.

http://en.wikipedia.org/wiki/ElGamal_signature_scheme diakses pada 27 April 2015

http://en.wikipedia.org/wiki/Schnorr_signature diakses pada 27 April 2015