- 150 Views
- Uploaded on
- Presentation posted in: General

Message Authentication and Hash Functions

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

- Authentication Requirements
- Authentication Functions
- Message Authentication Codes
- Hash Functions
- Security of Hash Functions and MACs

- Kind of attacks (threats) in the context of communications across a network
- Disclosure
- Traffic analysis
- Masquerade
- Content modification
- Sequence modification
- Timing modification
- Repudiation

- Measures to deal with first two attacks:
- In the realm of message confidentiality, and are addressed with encryption

- Measures to deal with items 3 thru 6
- Message authentication

- Measures to deal with items 7
- Digital signature

- Message authentication
- A procedure to verify that messages come from the alleged source and have not been altered
- Message authentication may also verify sequencing and timeliness

- Digital signature
- An authentication technique that also includes measures to counter repudiation by either source or destination

Authentication Functions

- Message authentication or digital signature mechanism can be viewed as having two levels
- At lower level: there must be some sort of functions producing an authenticator – a value to be used to authenticate a message
- This lower level functions is used as primitive in a higher level authentication protocol

Authentication Functions

- Three classes of functions that may be used to produce an authenticator
- Message encryption
- Ciphertext itself serves as authenticator

- Message authentication code (MAC)
- A public function of the message and a secret key that produces a fixed-length value that serves as the authenticator

- Hash function
- A public function that maps a message of any length into a fixed-length hash value, which serves as the authenticator

- Message encryption

Authentication Functions

- Conventional encryption can serve as authenticator
- Conventional encryption provides authentication as well as confidentiality
- Requires recognizable plaintext or other structure to distinguish between well-formed legitimate plaintext and meaningless random bits
- e.g., ASCII text, an appended checksum, or use of layered protocols

Authentication Functions

Authentication Functions

Ways of Providing Structure

- Append an error-detecting code (frame check sequence (FCS)) to each message

Authentication Functions

Ways of Providing Structure - 2

- Suppose all the datagrams except the IP header is encrypted.
- If an opponent substituted some arbitrary bit pattern for the encrypted TCP segment, the resulting plaintext would not include a meaningful header

Authentication Functions

Confidentiality and Authentication Implications of Message Encryption

Authentication Functions

- Uses a shared secret key to generate a fixed-size block of data (known as a cryptographic checksum or MAC) that is appended to the message
- MAC = CK(M)
- Assurances:
- Message has not been altered
- Message is from alleged sender
- Message sequence is unaltered (requires internal sequencing)

- Similar to encryption but MAC algorithm needs not be reversible

Authentication Functions

Basic Uses of MAC

Authentication Functions

Basic Uses of MAC

Authentication Functions

- i.e., why not just use encryption?

Authentication Functions

- Converts a variable size message M into fixed size hash code H(M) (Sometimes called a message digest)
- Can be used with encryption for authentication
- E(M || H)
- M || E(H)
- M || signed H
- E( M || signed H ) gives confidentiality
- M || H( M || K )
- E( M || H( M || K ) )

Authentication Functions

Basic Uses of Hash Function

Authentication Functions

Basic Uses of Hash Function

Authentication Functions

Basic Uses of Hash Function

MACs

- MAC= CK(M)
- Key length requirements
- Sufficient key length to thwart brute force attack

Hash Functions

- h = H(M)
- M is a variable-length message, h is a fixed-length hash value, H is a hash function
- The hash value is appended at the source
- The receiver authenticates the message by recomputing the hash value
- Because the hash function itself is not considered to be secret, some means is required to protect the hash value

Hash Functions

- H can be applied to any size data block
- H produces fixed-length output
- H(x) is relatively easy to compute for any given x
- H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x)
- H is weakly collision resistant: given x, it is computationally infeasible to find any y x s.t. H(x) = H(y)
- H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y)

Hash Functions

- One-way property is essential for authentication
- Weak collision resistance is necessary to prevent forgery
- Strong collision resistance is important for resistance to birthday attack

Hash Functions

- Operation of hash functions
- The input is viewed as a sequence of n-bit blocks
- The input is processed one block at a time in an iterative fashion to produce an n-bit hash function

- Simplest hash function: Bitwise XOR of every block
- Ci = bi1 bi2 … bim
- Ci = i-th bit of the hash code, 1 i n
- m = number of n-bit blocks in the input
- bij = i-th bit in j-th block

- Known as longitudinal redundancy check

- Ci = bi1 bi2 … bim

Hash Functions

- Improvement over the simple bitwise XOR
- Initially set the n-bit hash value to zero
- Process each successive n-bit block of data as follows
- Rotate the current hash value to the left by one bit
- XOR the block into the hash value

Birthday Attack

- If the adversary can generate 2m/2 variants of a valid message and an equal number of fraudulent messages
- The two sets are compared to find one message from each set with a common hash value
- The valid message is offered for signature
- The fraudulent message with the same hash value is inserted in its place
- If a 64-bit hash code is used, the level of effort is only on the order of 232
- Conclusion: the length of the hash code must be substantial

Birthday Attack

Generating 2m/2 Variants of Valid Messages

- Insert a number of
- “space-backspace-space”
- character pairs between
- words throughout the
- document.
- Variations could then be
- generated by substituting
- “space-backspace-space”
- in selected instances
- Alternatively, simply
- reword the message but
- retain the meaning

Security of Hash Functions and MACs

- Three desirable properties of hash functions
- One-way: For any given code h, it is computationally infeasible to find x s.t. H(x) = h
- Weak collision resistance: For any given block x, it is computationally infeasible to find y x s.t. H(y) = H(x)
- Strong collision resistance: It is computationally infeasible to find any pair (x, y) s.t. H(y) = H(x)

- Brute-force attack on n-bit hash code
- One-way and weak collision require 2n effort
- Strong collision requires 2n/2 effort
- If strong collision resistance is required (and this is desirable for a general-purpose secure hash code), 2n/2 determines the strength of hash code against brute-force attack
- Currently, two most popular hash codes, SHA-1 and RIPEMD-160, provide a 160-bit hash code length