• H is one-way function • n (bit length) is unbounded • n’ is short (and usually ﬁxed) ➡ H is a lossy compression function Two families of hash functions • Non-keyed a.k.a message digest e.g. password protection, digital signatures • Keyed a.k.a MAC - Message Authentication Code e.g. message integrity H(mn) = m’n’ Hk(mn) = m’n’ H m1 m2 m3 x1 x2
given H and x, hard to ﬁnd m e.g. password storage 2PR - Second Preimage Resistance ➡ given H, m and x, hard to ﬁnd m’ such that H(m) = H(m’) = x e.g. virus resistance (Tripwire tool) CR - Collision Resistance ➡ given H, hard to ﬁnd m and m’ such that H(m) = H(m’) = x e.g. digital signatures CR 㱺 2PR 㱺 PR H m x
IV (Initialization Vector) • Non keyed the IV (Initialization Vector) is ﬁxed • Keyed the key is supplied as the IV ➡ The commonly used standards are non keyed H(mn) = m’n’ Hk(mn) = m’n’ n bits n’ bits H m x IV n’ bits
H, hard to ﬁnd m and m’ such that H(m) = H(m’) = x Given a hash function H of n bits input output • Reaching all possibilities • On average, an attacker should try half of them H m x 2n cases 2n-1 cases
the same birthday in a room of 23 people” N-bits security ➡ Given a hash function H of n bits output, a collision can be found in around 2n/2 evaluations e.g SHA-256 is 128 bits security
conﬁdentiality) • Integrity : protecting the content of a message • Authentication : protecting the origin of a message • Non-repudiation : protecting the identity of the originator
key k ➡ Option 1 : using a keyed hash function on the message MACk (m) = Hk (m) ➡ Option 2 : using a non-keyed hash function on the message (HMAC) MACk (m) = H(k || m) m || MACk(m) k MAC key k Integrity Authentication
key k ➡ Option 1 : envelope method MACk (m) = H(k || m || k) ➡ Option 2 : padding method pad(k,m) returns a message with a length factor of the hash input a = H(pad(k,m) || m) MACk (m) = H(pad(k,a) || a) m || MACk(m) k MAC key k Integrity Authentication
and Km Option 1 EKe(m) || HKm(m) e.g SSH Option 2 EKe(m || HKm(m)) e.g SSL Option 3 EKe(m) || HKm(EKe(m)) e.g IPsec Ke encryption key Km MAC key ke km Integrity Authentication Conﬁdentiality
keys m || SIGKsa(m) Integrity Authentication Non-repudiation Alice an Bob have a pair of asymmetric keys ➡ Use public cryptography to sign and verify SIGKsa(m) = EKsa(H(m)) VERKpa(m, s) = (DKpa(s) == H(m)) VERKpa(m, SIGKsa(m))
Kpb public keys Integrity Authentication Non-repudiation Conﬁdentiality Alice an Bob have a pair of asymmetric keys ➡ Use public cryptography to encrypt, sign and verify EKpb(m) || SIGKsa(m) ๏ Too slow to encrypt long message
Kpb public keys Integrity Authentication Non-repudiation Conﬁdentiality 1. Alice generates an asymmetric session key k 2. Use both symmetric and asymmetric cryptography to encrypt, sign and verify the message and the key EKpb(k) || Ek(m || EKsa(H(m))
Layer Security (a.k.a SSL) provides • conﬁdentiality : end-to-end secure channel • integrity : authentication handshake Hey, this how HTTPS works ! example.com HTTPS request HTTPS response Who are you? I am example.com
1 The mechanics of mutual authentication and keys exchange is prone to attacks (e.g. replay attack, man-in-the-middle attack) ➡ Cryptography Protocols Problem 2 Alice has never seen Bob, how can she trust his identity ➡ Trust Models
published public keys • They can talk to each using the same protocol Goal When two parties engage in the communication, they want to 1. make sure that they talk to the right person (authentication) 2. exchange a symmetric session key
the other principals 1. send and receive messages 2. encrypt and decrypt with known keys In addition, the attacker has full control over the network 3. intercept messages
Bob’s public key ﬁngerprint • either by communicating with Bob over another channel • or by trusting someone that already trusts Bob ➡ the web of trust Alice Bob I am Bob! Pkm