Lecture 04 message authentication and hash functions
Download
1 / 51

Lecture 04 Message Authentication and Hash Functions - PowerPoint PPT Presentation


  • 132 Views
  • Uploaded on

Lecture 04 Message Authentication and Hash Functions. Asst.Prof.Supakorn Kungpisdan, Ph.D. [email protected] Outline. Authentication Requirements Authentication Functions Hash and MAC Algorithms. What is Authentication?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Lecture 04 Message Authentication and Hash Functions' - decker


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Lecture 04 message authentication and hash functions

Lecture 04Message Authentication and Hash Functions

Asst.Prof.Supakorn Kungpisdan, Ph.D.

[email protected]


Outline

NETE0519-ITEC4614

Outline

  • Authentication Requirements

  • Authentication Functions

  • Hash and MAC Algorithms


What is authentication

NETE0519-ITEC4614

What is Authentication?

  • A procedure to verify that received messages come from the alleged sourced and have not been altered.

    • Digital Signature is one of the techniques including countermeasure of repudiation by either source or destination.


Authentication requirements

NETE0519-ITEC4614

Authentication Requirements

  • Possible attacks

    • Disclosure

    • Traffic Analysis

    • Masquerade

    • Content Modification

    • Sequence Modification

    • Timing Modification

    • Repudiation: source and destination repudiation

  • Attacks#1-2-> Confidentiality

  • Attacks#3-7 -> Authentication

    • Especially #7 is related to Digital Signature


Authentication functions

NETE0519-ITEC4614

Authentication Functions

  • 3 Types of cryptographic operations related to authentication:

    • Message Encryption

    • Message Authentication Code (MAC)

    • Hash Function


Message encryption

NETE0519-ITEC4614

Message Encryption

  • Conventional Encryption


Conventional encryption cont

NETE0519-ITEC4614

Conventional Encryption (cont.)

  • Conventional encryption provides a weak form of authentication

  • If Bob can recover a message encrypted with a shared key between Alice and Bob, Bob knows that Alice sent this message.

  • If the message has been altered, Bob would not be able to read it.


Message encryption cont

NETE0519-ITEC4614

Message Encryption (cont.)

  • Public-key Encryption


Confidentiality and authentication implications of message encryption

NETE0519-ITEC4614

Confidentiality and Authentication Implications of Message Encryption


Confidentiality and authentication implications of msg encryption cont

NETE0519-ITEC4614

Confidentiality and Authentication Implications of Msg Encryption (cont.)


Message authentication codes macs

NETE0519-ITEC4614

Message Authentication Codes (MACs)

  • MAC involves the use of a secret key to generate a small fixed-size block of data.

  • A MAC is known as a cryptographic checksum:

    MAC = CK(M)

    where M is a variable-length message,

    K is a secret key shared between sender and receiver, and

    CK is fixed-length authenticator

  • MAC is appended to the message and sent over to receiver.


Message authentication code

NETE0519-ITEC4614

Message Authentication Code

  • MAC is irreversible, but encryption isn’t.

    1. Alice and Bob share the secret K1.

    2. Alice calculates MAC1 = CK1(M)

    AliceBob: {M, MAC1}

    3. Bob calculates MAC2 = CK1(M)

    If MAC2 = MAC1, M is sent from Alice and not altered

  • Confidentiality can be provided by encryption with another shared key.

    AliceBob: {M, MAC1}K2


Requirements for macs

NETE0519-ITEC4614

Requirements for MACs

  • If an opponent observes M and CK(M), it should be computationally infeasible to construct M’ such that CK(M’) = CK(M).

  • CK(M) should be uniformly distributed in the sense that for randomly chosen messages, M and M’, the probability that CK(M) = CK(M’) is 2-n, where n is the number of bits in the MAC.

  • Let M’ be equal to some known transformation on M. That is, M’ = f(M). E.g. f may involve inverting one or more specific bits.

    In that case, Pr[CK(M) = CK(M’)] = 2-n.


Using symmetric ciphers for macs

NETE0519-ITEC4614

Using Symmetric Ciphers for MACs

  • can use any block cipher chaining mode and use final block as a MAC

  • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC

    • using IV=0 and zero-pad of final block

    • encrypt message using DES in CBC mode

    • and send just the final block as the MAC

      • or the leftmost M bits (16≤M≤64) of final block

  • but final MAC is now too small for security


Data authentication algorithm

NETE0519-ITEC4614

Data Authentication Algorithm


Hash functions

NETE0519-ITEC4614

Hash Functions

  • A (one-way) hash function accepts a variable-size message M as input and produces a fixed-size hash code H(M) as output (called Message Digest)

  • Hash code provides error detection -> a change in one bit of message results in a change to the hash code.


Requirements for a hash functions

NETE0519-ITEC4614

Requirements for a Hash Functions

  • H can be applied to a block of data of any size.

  • H produces a fixed-length output.

  • It is easy to compute H(x) from any given x.

  • For any given h, computationally infeasible to find x, where H(x) = h (“one-way property”)

  • For any x, computationally infeasible to find y, y≠x, H(y) = H(x) (“weak collision resistance”)

  • Computationally infeasible to find any pair of (x, y) such than H(x) = H(y) (“strong collision resistance”)


Simple hash function

NETE0519-ITEC4614

Simple Hash Function

  • Bit-by-bit exclusive-OR (XOR)

    Ci = bi1 bi2  …  bim

    where Ci = ith bit of the hash code, 1 ≤ i ≤ n

    m = no. of n-bit blocks in the input

    bij = ith bit in jth block

     = XOR operation


Basic uses of hash functions

NETE0519-ITEC4614

Basic Uses of Hash Functions

Digital Signature


Basic uses of hash functions cont

NETE0519-ITEC4614

Basic Uses of Hash Functions (cont.)

S is shared btw sender and receiver


Hash and mac algorithms

NETE0519-ITEC4614

Hash and MAC Algorithms

  • Hash Functions

    • condense arbitrary size message to fixed size

    • by processing message in blocks

    • through some compression function

    • either custom or block cipher based

  • Message Authentication Code (MAC)

    • fixed sized authenticator for some message

    • to provide authentication for message

    • by using block cipher mode or hash function


Roadmap

NETE0519-ITEC4614

Roadmap

  • Authentication Requirements

  • Authentication Functions

  • Hash and MAC Algorithms

    • MD5

    • SHA-1

    • HMAC


General structure of hash function

NETE0519-ITEC4614

General Structure of Hash Function

f: compression function taking two inputs and producing n-bit output

CV0 = IV = initial n-bit value

CVi = f(CVi-1, Yi-1), 1 ≤ i ≤ L

H(M) = CVL


Md5 message digest algorithm

NETE0519-ITEC4614

MD5 Message Digest Algorithm


Md5 steps

NETE0519-ITEC4614

MD5 Steps

  • Appendpadding bits: up to 64 bits less than multiple of 512 bits

  • Append length: 64-bit representation of the length in bits. If message is longer than 264 bits, only low-order 64 bits of the length are used.

    • Message length = K mod 264. K is the message represented in decimal number.

    • The message is represented as a sequence of 512-bit blocks Y0, Y1, …, YL-1

    • So, we have L blocks of 512 bits

    • Each block is divided into 16 32-bit words.

    • Total number of words in the message is N represented by M[0,…, N-1]

      N = L x 16


Md5 steps cont

NETE0519-ITEC4614

MD5 Steps (cont.)

3. Initialize MD buffer

  • The buffer is represented as 4 32-bit registers (A, B, C, D)

  • Initialization value (in HEX)

    A: 01 23 45 67 (32 bits)

    B: 89 AB CD EF

    C: FE DC BA 98

    D: 76 54 32 10


Md5 steps cont1

NETE0519-ITEC4614

MD5 Steps (cont.)

4. Process message in 512-bit (16-word) blocks



Md5 steps cont2

NETE0519-ITEC4614

MD5 Steps (cont.)

5. Output

CV0 = IV

CVq+1 = SUM32(CVq,RFI[Yq,RFH[Yq,RFG[Yq,RFF[Yq,CVq]]]])

MD = CVL

IV = initial value of ABCD buffer

Yq = the qth 512-bit block of the message

L = the number of blocks in the message

CVq = chaining variable processed with qth message block

RFx = round function using primitive function x

MD = final message digest value

SUM32 = Addition modulo 232 performed separately on each word of the pair of inputs


Md5 compression function

NETE0519-ITEC4614

MD5 Compression Function

S-bit circular left shift

Addition modulo


Md5 compression function cont

NETE0519-ITEC4614

MD5 Compression Function (cont.)

  • Each step is in the form:

    a <- b + ((a + g(b,c,d)) + X[k] + T[i] <<< s)

    a,b,c,d = four words of the buffer

    g = one of the primitive functions F,G,H,I

    <<<s = s-bit circular left shift

    X[k] = M[q x 16 + k] = the kth 32-bit word in the qth 512-bit-block of the message

    T[i] = the ith 32-bit word in matrix T

    + = addition modulo 232


Md5 update algorithm

NETE0519-ITEC4614

MD5 Update Algorithm

L = N/16

1 block = 16 words


Sha 1

NETE0519-ITEC4614

SHA-1

  • MD5 accepts arbitrary length of input and produces 128-bit output.

  • SHA-1 accepts arbitrary length (less than 264 bits) of input and produces 160-bit output.


Sha 1 steps

NETE0519-ITEC4614

SHA-1 Steps

  • Append padding bits to 64 bits less than multiple of 512 bit (length  448 mod 512)

  • Append length: length of original message in binary (64 bits)

  • Initialize MD buffer (160 bits)

    Initialization value

    A: 67 45 23 01

    B: EF CD AB 89

    C: 98 BA DC FE

    D: 10 32 54 76

    E: C3 D2 E1 F0


Sha 1 steps cont

NETE0519-ITEC4614

SHA-1 Steps (cont.)

4. Process message in 512-bit (16-word) blocks: for each 512-bit message to be processed,

  • 4 rounds, 20 steps each (compared to 16 steps each in MD5)

  • So, 80 steps for 4 rounds


Sha 1 steps cont1

NETE0519-ITEC4614

SHA-1 Steps (cont.)


Sha 1 steps cont2

NETE0519-ITEC4614

SHA-1 Steps (cont.)

5. Output

  • After all 512-bit blocks have been processed, the output from Lth stage is the 160-bit message digest.

    CV0 = IV

    CVq+1 = SUM32(CVq, ABCDEq)

    IV = initial value of ABCDE buffer

    ABCDEq = the output of the last round of processing of the qth message blocks

    L = no. of message blocks

    SUM32 = Addition modulo 232


Sha 1 compression function

NETE0519-ITEC4614

SHA-1 Compression Function

  • In each of the 80 rounds of processing one 512-bit message block

    A,B,C,D,E <- (E + f(t, B, C, D) + S5(A)+ Wt + Kt), A, S30(B), C, D

    A,B,C,D,E = words of the buffer

    t = step number, 0 ≤ t ≤ 79

    f(t,B,C,D) = primitive function for step t

    Sk = k-bit circular shift of the 32-bit argument

    Wt = a 32-bit word derived from the current 512-bit input block

    Kt = an additive constant for step t

    + = addition modulo 232


Sha 1 compression function cont

NETE0519-ITEC4614

SHA-1 Compression Function (cont.)


Sha 1 compression function cont1

NETE0519-ITEC4614

SHA-1 Compression Function (cont.)

Wt = S1(Wt-16 Wt-14  Wt-8  Wt-3)


Sha 1 vs md5

NETE0519-ITEC4614

SHA-1 VS MD5

  • Security against brute-force attacks

    • Length of SHA-1 output is longer than that of MD5

  • Security against cryptanalysis

    • Both MD5 and SHA-1 are reported collision

  • Speed

    • SHA-1 is slower than MD5  80 versus 64 steps each round

  • Simplicity and compactness

    • Both are simple


Sha 2 and sha 3

NETE0519-ITEC4614

SHA-2 and SHA-3

  • NIST issued revision FIPS 180-2 in 2002

  • adds 3 additional versions of SHA

    • SHA-256, SHA-384, SHA-512

  • designed for compatibility with increased security provided by the AES cipher

  • structure & detail is similar to SHA-1

  • hence analysis should be similar

  • but security levels are rather higher

  • Now Keccak was named as SHA-3. It is not to replace SHA-2


Sha 512 overview

NETE0519-ITEC4614

SHA-512 Overview


Keyed hash functions as macs

NETE0519-ITEC4614

Keyed Hash Functions as MACs

  • want a MAC based on a hash function

    • because hash functions are generally faster

    • code for crypto hash functions widely available

  • hash includes a key along with message

  • original proposal:

    KeyedHash = Hash(Key|Message)

    • some weaknesses were found with this

  • eventually led to development of HMAC


Hmac hashed mac

NETE0519-ITEC4614

HMAC (Hashed MAC)

  • A MAC based on a cryptographic hash code

  • Motivations:

    • Executing a hash function faster than a symmetric encryption

    • Library code for hash functions is widely available.

    • No export restrictions from the US to other countries


NETE0519-ITEC4614

HMAC

  • specified as Internet standard RFC2104

  • uses hash function on the message:

    HMACK = Hash[(K+ XOR opad) ||

    Hash[(K+ XOR ipad)||M)]]

  • where K+ is the key padded out to size

  • and opad, ipad are specified padding constants

  • overhead is just 3 more hash calculations than the message needs alone

  • any hash function can be used

    • eg. MD5, SHA-1, RIPEMD-160, Whirlpool


Hmac algorithm

NETE0519-ITEC4614

HMAC Algorithm

H = hash function

M = Message

Yi = ith block of M, 0 ≤ i ≤ L-1

L = no. of blocks in M

b = no. of bits in a block (based on chosen hash fn)

n = length of hash code

K = secret key

K+ = K padded with zeros on the left so that the length is b bits

ipad = 00110110 repeated b/8 times

opad = 01011010 repeated b/8 times

HMACK = H[(K+ opad)||H[(K+  ipad)||M]]


Advantages of hmac

NETE0519-ITEC4614

Advantages of HMAC

  • Existing hash function can be implemented in HMAC

  • Easy to replace with more secure or updated hash algorithm

  • HMAC is proven more secure than hash algorithms


Hmac security

NETE0519-ITEC4614

HMAC Security

  • proved security of HMAC relates to that of the underlying hash algorithm

  • attacking HMAC requires either:

    • brute force attack on key used

    • birthday attack (but since keyed would need to observe a very large number of messages)

  • choose hash function used based on speed verses security constraints



NETE0519-ITEC4614

Quiz

  • Describe the difference between hash functions and MACs in terms of security and their usages

  • Can we product a MAC using:

    2.1 symmetric encryption?

    2.2 public-key encryption?

    Then compare them with HMAC


ad