Scribd
Upload
85 views

PKCS PDF

This document discusses public-key cryptography standards (PKCS). It describes how PKCS are a set of standards for public-key cryptography owned by RSA. The standards were created in the early 1990s and are numbered from PKCS1 to PKCS15. Some standards have lost interest or been folded into others over time, but the PKCS standards continue to evolve.

Uploaded by

Krishan verma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
85 views

PKCS PDF

This document discusses public-key cryptography standards (PKCS). It describes how PKCS are a set of standards for public-key cryptography owned by RSA. The standards were created in the early 1990s and are numbered from PKCS1 to PKCS15. Some standards have lost interest or been folded into others over time, but the PKCS standards continue to evolve.

Uploaded by

Krishan verma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 64

PKCS (Public-key cryptography

standards)

Códigos y Criptografía Francisco Rodríguez Henríquez


Network Access Security Model

Códigos y Criptografía Francisco Rodríguez Henríquez


Security Levels
• Confidentiality
– Protection from disclosure to unauthorized persons
• Integrity
– Maintaining data consistency
• Authentication
– Assurance of identity of person or originator of data
• Non-repudiation
– Originator of communications can't deny it later
• Authorization
– Identity combined with an access policy grants the rights to
perform some action
Códigos y Criptografía Francisco Rodríguez Henríquez
Security Building Blocks

• Encryption provides
– confidentiality, can provide authentication and
integrity protection
• Checksums/hash algorithms provide
– integrity protection, can provide authentication
• Digital signatures provide
– authentication, integrity protection, and non-
repudiation
Códigos y Criptografía Francisco Rodríguez Henríquez
Keys
• Symetric Keys
– Both parties share the same secret key
– A major problem is securely distributing the
key
– DES - 56 bit key considered unsafe for
financial purposes since 1998
– 3 DES uses three DES keys

Códigos y Criptografía Francisco Rodríguez Henríquez


Keys
• Public/Private keys
– One key is the mathematical inverse of the
other
– Private keys are known only to the owner
– Public key are stored in public servers,
usually in a X.509 certificate.
– RSA (patent expires Sept 2000), Diffie-
Hellman, DSA

Códigos y Criptografía Francisco Rodríguez Henríquez


A Simplified Model of Conventional
Encryption

Códigos y Criptografía Francisco Rodríguez Henríquez


Public-Key Cryptography

Códigos y Criptografía Francisco Rodríguez Henríquez


Public-Key Cryptography

Códigos y Criptografía Francisco Rodríguez Henríquez


Message Digest
• A message digest, also known as a one-way hash function, is a fixed
length computionally unique identifier corresponding to a set of data.
That is, each unit of data (a file, a buffer, etc.) will map to a particular
short block, called a message digest. It is not random: digesting the same
unit of data with the same digest algorithm will always produce the same
short block.
• A good message digest algorithm possesses the following qualities
– The algorithm accepts any input data length.
– The algorithm produces a fixed length output for any input data.
– The digest does not reveal anything about the input that was used to
generate it.
– It is computationally infeasible to produce data that has a specific digest.
– It is computationally infeasible to produce two different unit of data that
produce the same digest.
Códigos y Criptografía Francisco Rodríguez Henríquez
Hash Algorithms
• Reduce variable-length input to fixed-
length (128 or 160bit) output
• Requirements
– Can't deduce input from output
– Can't generate a given output
– Can't find two inputs which produce the
same output

Códigos y Criptografía Francisco Rodríguez Henríquez


Hash Algorithms
• Used to
– Produce fixed-length fingerprint of arbitrary-
length data
– Produce data checksums to enable detection
of modifications
– Distil passwords down to fixed-length
encryption keys
• Also called message digests or
fingerprints
Códigos y Criptografía Francisco Rodríguez Henríquez
Message Authentication
Code MAC
• Hash algorithm + key to make hash value
dependant on the key
• Most common form is HMAC (hash MAC)
– hash( key, hash( key, data ))
• Key affects both start and end of hashing process
• Naming: hash + key = HMAC-hash
– MD5 1 HMAC-MD5
– SHA-1 1 HMAC-SHA (recommended)
Códigos y Criptografía Francisco Rodríguez Henríquez
RSA: An Example

Códigos y Criptografía Francisco Rodríguez Henríquez


Digital Signatures
• Combines a hash with a digital signature
algorithm
• To sign
– hash the data
– encrypt the hash with the sender's private key
– send data signer’s name and signature
• To verify
– hash the data
– decrypt the signature with the sender's public key
– the result of which should match the hash
Códigos y Criptografía Francisco Rodríguez Henríquez
Digital Signatures
• A data string associating a message with an
originating entity
– Signature generation algorithm
– Signature verification algorithm
– Signature scheme
• Used for authentication, integrity, and
nonrepudiation
• Public key certification is one of the most
significant applications

Códigos y Criptografía Francisco Rodríguez Henríquez


Digital Signature/Verification
Schemes

Códigos y Criptografía Francisco Rodríguez Henríquez


Digital Signature/Verification
Schemes

Códigos y Criptografía Francisco Rodríguez Henríquez


Digital Signature/Verification
Schemes

Códigos y Criptografía Francisco Rodríguez Henríquez


Diffie-Hellman protocol

Códigos y Criptografía Francisco Rodríguez Henríquez


Diffie-Hellman protocol

Códigos y Criptografía Francisco Rodríguez Henríquez


Diffie-Hellman protocol

Códigos y Criptografía Francisco Rodríguez Henríquez


Key exchange: Diffie-Hellman protocol

1. Picks a ∈ GF(p) at random 1. Picks b ∈ GF(p) at random


2. Computes TA = ga mod p 2. Computes TB = gb mod p
3. Sends TA 3. Receives TA
4. Receives TB 4. Sends TB
5. Computes KA = TBa mod p 5. Computes KB = TAb mod p

Machine A Machine B

Where K = KA = KB, Because:


TBa = (gb)a = gba = gab = (ga)b = TAb mod p

Códigos y Criptografía Francisco Rodríguez Henríquez


Mensaje para Anita en La Jornada

Querida Anita de mi corazón:


Quisiera pedirte que nuestro número primo
sea 128903289023 y nuestra g 23489.
Te quiere
Betito.

Códigos y Criptografía Francisco Rodríguez Henríquez


Middle-person attack.
• Consider the following scenario:
Anita Middleperson Betito
ga = 8389 gx = 5876 gb = 9267
8389 5876
5876 9267
Shared key KAX: Shared key KBX
5876a = 8389x 9267x = 5876b
• After this exchange, the middle-person attacker simply decrypts any
messages sent out by A or B, and then reads any possibly modifies
them before re-encrypting with the appropriate key and transmitting
them to the correct party.
• Middle-person attack is possible due to the fact that DHC does not
authenticate the participants. Possible solutions are digital signatures
and other protocol variants.
Códigos y Criptografía Francisco Rodríguez Henríquez
Solution: Mutual authentication

I am A, R1

R2, KAB {R1}


A B
KAB{R2}

Códigos y Criptografía Francisco Rodríguez Henríquez


Reflection attack

I am A,
T R1
B
R2, KAB{R1}

I am A, R2
T B
R3, KAB{R2}

Códigos y Criptografía Francisco Rodríguez Henríquez


Encryption across a
packet-switching network

Códigos y Criptografía Francisco Rodríguez Henríquez


Elements of PKI

• Certificate Authorities (CA)


– OpenSSL, Netscape, Verisign, Entrust, RSA Keon
• Public/Private Key Pairs - Key management
• x.509 Identity Certificates - Certificate
management
• LDAP servers

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS
• Public-key cryptography standards (PKCS)
• Owned by RSA and motivated to promote RSA
• Created in early 1990’s
• Numbered from PKCS1 to PKCS15
• Some along the way have
– lost interest
– folded into other PKCS
– taken over by other standards bodies
• Continue to evolve

Códigos y Criptografía Francisco Rodríguez Henríquez


RSA cryptosystem by layers
Protocols and Applications: SSL, TLS, WTLS, WAP,
etc.

PKCS User Functions:PKCS1_OAEP_Encrypt,


PKCS1_OAEP_Decrypt, PKCS1_v15_Sign,

PKCS Primitives: PKCS1_OAEP_Encode,


PKCS1_OAEP_Decode, etc

RSA primitive Operations: Encryption: C = Me mod n,


Decryption M = Cd mod n.

FP finite field operations : Addition, Squaring,


multiplication, inversion and exponentiation

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1

• RSA Cryptography Standard


Version 2.0 onwards (1998)
RSA Encryption Standard
Version 1.5 (1993)

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1

• Specifies how to use the RSA algorithm


securely for encryption and signature
• Why do we need this?
– Padding for encryption
– Different schemes for signature

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1
• Chosen ciphertext attack based on
multiplicative property of RSA
• Attacker wishes to decrypt c
Choose r, compute c’ = c⋅ re mod n
Get victim to decrypt c’ giving cd ⋅ r mod n
cd ⋅ r ⋅ r-1 mod n = cd mod n
• Padding destroys multiplicative property

Códigos y Criptografía Francisco Rodríguez Henríquez


RSA: Key Generation

Códigos y Criptografía Francisco Rodríguez Henríquez


RSA: Encryption, Decryption

Códigos y Criptografía Francisco Rodríguez Henríquez


RSA: An Example

Códigos y Criptografía Francisco Rodríguez Henríquez


RSA encryption is
deterministic

We can check whether M is the message of C by C=Me mod n.

Attack example: C = (PIN)e mod n, where PIN is 4-digit number.


We can find M by a brute force attack within several 10 seconds.

=> We need a semantically secure cryptosystem!


Semantically secure: For two messages M0, M1, and C = Mb2 mod n,
attackers can not guess whether C is encryption of Mb (b=0,1).

An easy way is to pad M with random integer R like M||R, but no security proof!

Códigos y Criptografía Francisco Rodríguez Henríquez


Chosen Ciphertext Attack (CCA)

Decryption oracle
ciphertext C
d
Information based on C,d

An attack example:
(0) We assume the decryption oracle computes Ad mod n for a request.
(1) Attacker computes A = ReC mod n for a random R in Zn, and sends A to
the decryption oracle.
(2) Decryption oracle computes B = Ad mod n and send B back to the
attacker.
(3) The attacker computes B/R = M mod n and get the message M.
There are several models, which are secure
against the chosen ciphertext attack

Códigos y Criptografía Francisco Rodríguez Henríquez


Side Channel Attacks
Algorithm Binary exponentiation
Input: a in G, exponent d = (dk,dk-1,…,d0)
The time or the power to execute
䚭䚭䚭䚭䚭(dk is the most significant bit)
Output: c = ad in G
c2 and c*a are different
1. c = a; (side channel information).
2. For i = k-1 down to 0;
3. c = c2;
4. If di =1 then c = c*a;
Algorithm Coron’s exponentiation
5. Return c;
Input: a in G, exponent d = (dk,dk-1,…,dl0)
Output: c = ad in G
1. c[0] = 1;
2. For i = k-1 down to 0;
3. c[0] = c[0]2;
4. c[1] = c[0]*a;
5. c[0] = c[di];
6. Return c[0];

Códigos y Criptografía Francisco Rodríguez Henríquez


Differential Fault Attack
(DFA)
An attacker obtains a decryption which is computed in a wrong way.

M = Cd mod n n
dq = d mod (q-1)
Mq =Cdq mod q
dp = d mod (p-1)
Mp = Cdp mod p v = (Mq – Mp) p-1 mod q,
p q

M = Mp + pv mod n.
n

In the RSA using the CRT, if an attacker can break the computation
of v (as v=0), then he/she can factor n by computing gcd(M-Mp,n)=p.

Códigos y Criptografía Francisco Rodríguez Henríquez


Klima-Rosa attack against
PGP

PGP dose not encrypt the key file which includes n.


Decryption oracle
integer X
d, n’
Xd mod n’

An attacker can change the public key n to n’

The attacker can obtain Xd mod n’ for changed n’.


He/she can recover d by Silver-Pohlig-Hellman algorithm

Códigos y Criptografía Francisco Rodríguez Henríquez


Bleichenbacher’s CCA
Decryption oracle
any integer C mod n
d
Cd 䌓㻃PKCS-format or not

PKCS-Format for a message m


most significant byte least significant byte

00 02 random padding 00 message m


at least 8 bytes

Theorem (Bleichenbacher): Let n be a 1024-bit RSA modus. For a given C,


the value Cd mod n can be computed by about 220 accesses to the decryption
oracle, where d is the secret key.

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1

• Version 1.5, 1993


– Encryption padding was found defective in
1998 by Bleichenbacher
– Possible to generate valid ciphertext without
knowing corresponding plaintext with
reasonable probability of success (chosen
ciphertext)

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1
• Uses Optimal asymmetric encryption protocol (OAEP) by
Bellare-Rogoway 1994
– provably secure in the random oracle model.
– Informally, if hash functions are truly random, then an
adversary who can recover such a message must be able
to break RSA
– plaintext-awareness: to construct a valid OAEP encoded
message, an adversary must know the original plaintext
• PKCS 1 version 1.5 padding continues to be allowed for
backward compatibility
• Accommodation for multi-prime RSA
– Speed up private key operations
Códigos y Criptografía Francisco Rodríguez Henríquez
PKCS 1
• Cryptographic primitives
• Cryptographic scheme
– Encryption scheme
– Signature scheme
• Signature with appendix: supported
• Signature with message recovery: not supported
• Encoding and decoding
– Converting an integer message into an octet string
for use in encryption or signature scheme and vice
versa

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1
• Cryptographic primitives
• Encrypt RSAEP((n,e),m)
• Decrypt RSADP((n,d),c)
• Sign RSASP1((n,d),m)
• Verify RSAVP1((n,e),s)
Basically exponentiation with differently named
inputs!!

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1
Encryption scheme
• Combines encryption primitive with an encryption
encoding method
• message → encoded message → integer message
representative → encrypted message
Decryption scheme
• Combines decryption primitive with a decryption
decoding method
• encrypted message → integer message representative →
encoded message → message
Original version 1.5 scheme and new version 2.0 scheme

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1
Encryption scheme
• Combines signature primitive with a signature encoding
method.
• message → encoded message → integer message
representative → signature
Decryption scheme
• Combines verification primitive with a verification
decoding method
• signature → integer message representative → encoded
• message → message
Original version 1.5 scheme
Signature with appendix

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1
Symbol Meaning Symbol Meaning
k Length of n in octets EB Encryption block
n The modulus, 28(k- ED Encrypted data
1)≤ n<28k

p, q Prime factors of n BT Block type


e public exp. PS Padding string
d priv exp. S signature
M Message ||X|| Length of X in octets
MD Message digest
MD’ Comp. mess. digest
Códigos y Criptografía Francisco Rodríguez Henríquez
PKCS Data formatting

The data is an octet string D, where ||D|| ≤ k-


11. BT is a single octet whose hex
representation is either 00 or 01. PS is an
octet string with ||PS|| = k -3-||D||. If BT =
00, then all octets in PS are 00; if BT=01,
then all octets in PS are FF.

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS Data formatting
The formatted data block (called the encryption block) is:
EB = 00||BT||PS||00||D.

PKCS-Format for a message m


most significant byte least significant byte

00 02 random padding 00 message m


at least 8 bytes

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS Data formatting
i. The leading 00 block ensures that the octet
string EB, when interpreted as an integer, is
less than the modulus n.
ii. If the block type is BT = 00, then either D must
begin with a non-zero octet or its length must
be known, in order to permit unambiguous
parsing of EB.

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS Data formatting
iii. If BT = 01, then unambiguous parsing is
always possible.
iv. For the reason given in (iii), and to
thwart certain potential attacks on the
signature mechanism, BT = 01 is
recommended.

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS Data formatting
Example: Suppose that n is a 1024-bit
modulus (so k = 128). If ||D|| = 20 octets,
then ||PS|| = 105 octets, so that ||EB|| =
128 octets.

Códigos y Criptografía Francisco Rodríguez Henríquez


Signature process for PKCS #1
1. Message Hashing. Hash the message M
using the selected message-digest algorithm
to get the octet string MD.
2. Message Digest Encoding. MD and the
hash algorithm identifier are combined into
an ASN.1 (Abstract Syntax Notation) value
and then BER-encoded (Basic Encoded
Rules) to give an octec data string D.
Códigos y Criptografía Francisco Rodríguez Henríquez
Signature process for PKCS #1
3. Data block formatting. With data string
input D, use the data formatting discussed
previously to form octet string EB.
4. Octet-string2integer conversion. Let the
octets ob EB be EB1|| EB1|| EB2||… ||EBk.
Define EB’i to be the integer whose binary
representation is the octet EBi (LSB bit is
on the right).
Códigos y Criptografía Francisco Rodríguez Henríquez
Signature process for PKCS #1

5. RSA Computation. Compute s = md mod n.


6. Integer2octet-string conversion. Convert s
to an octet string. The signature is S = ED.

Códigos y Criptografía Francisco Rodríguez Henríquez


Signature process for PKCS #1
MESSAGE

1. Message Hashing
2. Message Digest Encoding
3. Data block formatting
4. OctetString2integer conversion
5. RSA COmputation
6. Integer2octetString conversion

SIGNATURE

Códigos y Criptografía Francisco Rodríguez Henríquez


Verification process for
PKCS #1
1. Octet-string2integer conversion. Reject S if
the bit-length of S is not a multiple of 8.
Convert S to an integer s as in step 4 of the
signature process. Reject the signature is s >
n.
2. RSA Computation. Compute m = se mod n.

Códigos y Criptografía Francisco Rodríguez Henríquez


Verification process for
PKCS #1
3. Integer2octet-string conversion. Convert m
to an octet string as in step 6 of the
signature process.
4. Parsing. Parse EB into a block type BT, a
padding string PS, and the data D.
• Reject if EB cannot be parsed unambiguously.
• Reject if BT is not one of 00 or 01.
• Reject if PS consists of < 8 octets or is
inconsistent with BT.
Códigos y Criptografía Francisco Rodríguez Henríquez
Verification process for
PKCS #1
5. Data Decoding.
– BER-decode D to get a message digest MD and
a hash algorithm identifier.
– Reject if the hashing algorithm does not identify
one of MD2 or MD5.
6. Message Digest and Comparison. Hash the
message M using the selected message-
digest algorithm to get the octet string MD’
and compare it with MD obtained in (5).
Códigos y Criptografía Francisco Rodríguez Henríquez
Verification process for
PKCS #1
Signature and message

1. OctetString2integer conversion
2. RSA Computation
3. Integer2octetString conversion
4. Parsing
5. Data Encoding
6. Message digesting and comparison

SIGNATURE

Códigos y Criptografía Francisco Rodríguez Henríquez


PKCS 1: The Future

Probabilistic signature scheme (PSS)


Provably secure in random oracle model
Natural extension to message recovery

Códigos y Criptografía Francisco Rodríguez Henríquez

You might also like