Part 1: General - Computer Security Resource Center - National ...

More documents

Recommendations

Info

March, 2007 APPENDIX A: Cryptographic and Non-cryptographic Integrity and Authentication Mechanisms Integrity and authentication services are particularly important in protocols that include key management. When integrity or authentication services are discussed in this recommendation, they are afforded by “strong” cryptographic integrity or authentication mechanisms. Secure communications and key management are typically provided using a communications protocol that offers certain services, such as integrity or a "reliable" transport service. However, the integrity or reliable transport services of communications protocols are not necessarily adequate for cryptographic applications, particularly for key management, and there might be confusion about the meaning of terms such as “integrity”. All communications channels have some noise (i.e., unintentional errors inserted by the transmission media), and other factors, such as network congestion, can cause packets to be lost. Therefore, integrity and reliable transport services for communications protocols are designed to function over a channel with certain worst-case noise characteristics. Transmission bit errors are typically detected using 1) a non-cryptographic checksum 31 to detect transmission errors in a packet, and 2) a packet counter that is used to detect lost packets. A receiving entity that detects damaged packets (i.e., packets in which errors have been detected) or lost packets may request the sender to retransmit them. The non-cryptographic checksums are generally effective at detecting transmission noise. For example, the common CRC-32 checksum algorithm used in local area network applications detects all error bursts with a span of less than 32 bits, and detects longer random bursts with a 2 -32 failure probability. However, the non-cryptographic CRC-32 checksum does not detect the swapping of 32-bit message words, and specific errors in particular message bits cause predictable changes in the CRC-32 checksum. The sophisticated attacker can take advantage of this to create altered messages that pass the CRC-32 integrity checks, even, in some cases, when the message is encrypted. Forward error correcting codes are a subset of non-cryptographic checksums that can be used to correct a limited number of errors without retransmission. These codes may be used, depending on the application and noise properties of the channel. Cryptographic integrity mechanisms, on the other hand, protect against an active, intelligent attacker who might attempt to disguise his attack as noise. Typically, the bits altered by the attacker are not random; they are targeted at system properties and vulnerabilities. Cryptographic integrity mechanisms are effective in detecting random noise events, but they also detect the more systematic deliberate attacks. Cryptographic hash algorithms, such as SHA-256 are designed to make every bit of the hash value a complex, nonlinear function of every bit of the message text, and to make it impractical to find two messages that hash to the same value. On average, it is necessary to perform 2 128 SHA-256 hash operations to find two messages that hash to the same value, and it is much harder than that to find another message whose SHA-256 hash 31 Checksum: an algorithm that uses the bits in the transmission to create a checksum value. The checksum value is normally sent in the transmission. The receiver re-computes the checksum value using the bits in the received transmission, and compares the received checksum value with the computed value to determine whether or not the transmission was correctly received. A non-cryptographic checksum algorithm uses a well-known algorithm without secret information (i.e., a cryptographic key). 123
March, 2007 is the same value as the hash of any given message. Cryptographic message authentication algorithms (MAC) employ hashes or symmetric encryption algorithms and a key to authenticate the source of a message, as well as protect its integrity (i.e., detect errors). Digital signatures use public key algorithms and hash algorithms to provide both authentication and integrity services. Compared to non-cryptographic integrity or authentication mechanisms, these cryptographic services are usually computationally more expensive; this seems to be unavoidable, since cryptographic protections must also resist deliberate attacks by knowledgeable adversaries with substantial resources. Cryptographic and non-cryptographic integrity mechanisms may be used together. For example, consider the TLS protocol (see <strong>Part</strong> 3). In TLS, a client and a server can authenticate each other, establish a shared "master key" and transfer encrypted payload data. Every step in the entire TLS protocol run is protected by strong cryptographic integrity and authentication mechanisms, and the payload is usually encrypted. Like most cryptographic protocols, TLS will detect any attack or noise event that alters any part of the protocol run with a given probability. However, TLS has no error recovery protocol. If an error is detected, the protocol run is simply terminated. Starting a new TLS protocol run is quite expensive. Therefore, TLS requires a "reliable" transport service, typically the Internet Transport Control Protocol (TCP), to handle and recover from ordinary network transmission errors. TLS will detect errors caused by an attack or noise event, but has no mechanism to recover from them. TCP will generally detect such errors on a packetby-packet basis and recover from them by retransmission of individual packets, before delivering the data to TLS. Both TLS and TCP have integrity mechanisms, but a sophisticated attacker could easily fool the weaker non-cryptographic checksums of TCP. However, because of the cryptographic integrity mechanism provided in TLS, the attack is thwarted. There are some interactions between cryptographic and non-cryptographic integrity or errorcorrection mechanisms that users and protocol designers must take into account. For example, many encryption modes expand ciphertext errors: a single bit error in the ciphertext can change an entire block or more of the resulting plaintext. If forward error correction is applied before encryption, and errors are inserted in the ciphertext during transmission, the error expansion during the decryption might "overwhelm" the error correction mechanism, making the errors uncorrectable. Therefore, it is preferable to apply the forward error correction mechanism after the encryption process. This will allow the correction of errors by the receiving entity’s system before the ciphertext is decrypted, resulting in “correct” plaintext. Interactions between cryptographic and non-cryptographic mechanisms can also result in security vulnerabilities. One classic way this occurs is with protocols that use stream ciphers 32 with non-cryptographic checksums (e.g. CRC-32) and that acknowledge good packets. An attacker can copy the encrypted packet, selectively modify individual ciphertext bits, selectively change bits in the CRC, and then send the packet. Using the protocol’s acknowledgement mechanism, the attacker can determine when the CRC is correct, and therefore, determine certain bits of the underlying plaintext. At least one widely used wireless encryption protocol has been broken with such an attack. 32 Stream ciphers encrypt and decrypt one element (e.g., bit or byte) at a time. There are no FIPS algorithms specifically designated as stream ciphers. However, some of the cryptographic modes defined in [SP 800-38] can be used with a symmetric block cipher algorithm, such as AES, to perform the function of a stream cipher. 124
Page 1 and 2:
ARCHIVED PUBLICATION The attached p
Page 3 and 4:
Abstract March, 2007 This Recommend
Page 5 and 6:
Authority March, 2007 This document
Page 7 and 8:
March, 2007 key validation, account
Page 9 and 10:
March, 2007 4.2.4.1 DSA............
Page 11 and 12:
March, 2007 8 KEY MANAGEMENT PHASES
Page 13 and 14:
March, 2007 10.2.9 Compromise Manag
Page 15 and 16:
March, 2007 Figure 3: Key states an
Page 17 and 18:
March, 2007 1.2 Audience The audien
Page 19 and 20:
March, 2007 1. Section 1, Introduct
Page 21 and 22:
March, 2007 Backup A copy of inform
Page 23 and 24:
March, 2007 Digital signature The r
Page 25 and 26:
Key Management Policy Key Managemen
Page 27 and 28:
Proof of possession (POP) Pseudoran
Page 29 and 30:
March, 2007 Split knowledge A proce
Page 31 and 32:
March, 2007 3 Security Services Cry
Page 33 and 34:
March, 2007 However, it is often th
Page 35 and 36:
March, 2007 4 Cryptographic Algorit
Page 37 and 38:
March, 2007 operates on blocks (chu
Page 39 and 40:
March, 2007 minimum key size 7 of 1
Page 41 and 42:
March, 2007 2. The protocols trigge
Page 43 and 44:
March, 2007 7. Symmetric key wrappi
Page 45 and 46:
March, 2007 9. Random numbers: The
Page 47 and 48:
March, 2007 In general, where stron
Page 49 and 50:
March, 2007 a. When a symmetric key
Page 51 and 52:
March, 2007 information. For less s
Page 53 and 54:
8. Symmetric and Asymmetric RNG key
Page 55 and 56:
15. Private ephemeral key agreement
Page 57 and 58:
Key Type 12. Symmetric Key Agreemen
Page 59 and 60:
March, 2007 establishment keys, see
Page 61 and 62:
March, 2007 c. Restricting plaintex
Page 63 and 64:
March, 2007 algorithms completely i
Page 65 and 66:
March, 2007 Table 3: Hash function
Page 67 and 68:
Table 4: Recommended algorithms and
Page 69 and 70:
March, 2007 size is available, the
Page 71 and 72:
Security life of data up to 4 years
Page 73 and 74: March, 2007 6 Protection Requiremen
Page 75 and 76: Table 5: Protection requirements fo
Page 77 and 78: Key Type Security Service Private e
Page 79 and 80: March, 2007 Crypto. Security Securi
Page 81 and 82: March, 2007 may be applied only to
Page 83 and 84: March, 2007 All cryptographic infor
Page 85 and 86: March, 2007 8. Domain parameters (e
Page 87 and 88: March, 2007 6. Destroyed Compromise
Page 89 and 90: March, 2007 a. A private signature
Page 91 and 92: 2 Pre-Operational Phase 3 7 1 4 Ope
Page 93 and 94: March, 2007 8.1 Pre-operational Pha
Page 95 and 96: 8.1.5.1.1 Distribution of Static Pu
Page 97 and 98: March, 2007 and then provide eviden
Page 99 and 100: March, 2007 listed in Section 8.1.5
Page 101 and 102: March, 2007 encrypting key or publi
Page 103 and 104: March, 2007 8.1.5.3.5 Intermediate
Page 105 and 106: March, 2007 of keying material and
Page 107 and 108: March, 2007 2. The application in w
Page 109 and 110: March, 2007 and the key derivation
Page 111 and 112: March, 2007 Type of Key Archive? Re
Page 113 and 114: March, 2007 All records of the enti
Page 115 and 116: March, 2007 other cryptographic inf
Page 117 and 118: March, 2007 access to information e
Page 119 and 120: March, 2007 1. Private key used to
Page 121 and 122: March, 2007 10.2 Content of the Key
Page 123: March, 2007 Management Specificatio
Page 127 and 128: March, 2007 If the decision is made
Page 129 and 130: March, 2007 only, and then shall be
Page 131 and 132: March, 2007 may be stored in backup
Page 133 and 134: March, 2007 and the method of key r
Page 135 and 136: March, 2007 ephemeral key pairs, an
Page 137 and 138: B.3.14.7 Key Control Information Ma
Page 139 and 140: March, 2007 to be saved. Keys for t
Page 141 and 142: [HAC] Handbook of Applied Cryptogra
Page 143: March, 2007 the owner by the CA tha
show all

Part 1: General - Computer Security Resource Center - National ...

Create successful ePaper yourself

Delete template?

Save as template?