162 Views

Download Presentation
## Message Authentication

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Message Authentication**MAC and Hash CSE 5349/49**Message Authentication**• Verify that messages come from the alleged source, unaltered • Authentication requirements • Authentication functions CSE 5349/7349**Authentication Requirements**• Masquerade • Content modification • Insertion, deletion, transposition, modification of message contents • Sequence modification • Insertion, deletion, reordering of sequenced messages • Timing modification • Delay, replay • Repudiation • Denial of message transmission or receipt CSE 5349/7349**Authentication Functions**• Message encryption • Ciphertext itself serves as authenticator • Message authentication code • Public function combines message and secret key into fixed length value • Hash function • Public function maps message into fixed length value CSE 5349/7349**M**M E D EK(M) K K (a) Conventional encryption : confidentiality and authentication M M E D EKU (M) KR KU b b b (b) Public-key encryption : confidentiality Encryption for Authentication CSE 5349/7349**EKR (M)**EKR (M) EKR (M) KR KU KU KR KR KU b b a a a a a a a EKU [EKR (M)] a b Encryption for Authentication Destination M M E D (c) Public-key encryption : authentication and signature M M E D D E (d) Public-key encryption : confidentiality, authentication and signature CSE 5349/7349**Destination**Source M M C | | Compare K K C CK(M) Message Authentication CodeMAC CSE 5349/7349**Source**Destination M M C | | E D Compare K1 K2 K2 K1 EK [M||CK (M)] 2 1 CK (M) C 1 Message authentication and confidentiality; authentication tied to plaintext EK [M] 2 M E | | D M C K2 K2 K1 Compare K1 CK (EK [M]) C 1 2 Message authentication and confidentiality; authentication tied to ciphertext MAC (cont’d) CSE 5349/7349**Message Authentication CodeMAC**• Cryptographic checksum • Mixes message with (shared) secret key to produce a fixed size block • Assurances: • Message has not been altered • Message is from alleged sender • Message sequence is unaltered (requires internal sequencing) • MAC algorithm need not be reversible CSE 5349/7349**Why Use MACs?**• Why not just use encryption? • Clear-text stays clear • MAC might be cheaper • Broadcast • Authentication of executables • Architectural flexibility • Separation of authentication check from message use • Prolong the period of protection CSE 5349/7349**Time = 1**Time = 2 Time = N – 1 Time = N D1 (64 bits) D2 DN – 1 DN + + + DES encrypt DES encrypt DES encrypt DES encrypt • • • K (56 bits) K K K O1 (64 bits) O2 ON – 1 ON DAC (16 to 64 bits) DES-Based MAC CSE 5349/7349**MAC Requirements**• Given M and Ck(M), it must be computationally infeasible to construct M’ s.t. Ck(M) = Ck(M’) • For any M and M’, Pr[Ck(M) = Ck(M’)] should be 2-n, where n is the length of the MAC • Let M’ be equal to some known transformation on M. Then, Pr[Ck(M) = Ck(M’)] = 2-n. CSE 5349/7349**Attacks on MACs**• Let k = key length, n = MAC length • If k > n • Brute force gives 2(k-n) candidate keys • Second round (new C and M) reduces this to 2(k-2n) candidate keys • On average, this requires k/n rounds CSE 5349/7349**Attacks on MACs**• If k n, one round should suffice • Other attacks are possible, depending on the MAC algorithm • E.g., suppose Ck(M) = DES(k, X1 X2 ... Xm) • Replace Xi by Yi for i < m • Calculate Ym to produce the right checksum • Ym = Y1 Y2 ... Ym-1 X1 X2 ... Xm CSE 5349/7349**One-way Hash Functions**• Converts a variable size message M into fixed size hash code H(M) • Can be used with encryption for authentication • E(M || H) • M || E(H) • M || signed H • E( M || signed H ) gives confidentiality • M || H( M || K ) • E( M || H( M || K ) ) CSE 5349/7349**Destination**Source M M H | | E D Compare K K EK[M||H(M)] H(M) H (a) H M M | | K Compare K D EK[H(M)] H E (b) Hash (cont’d) CSE 5349/7349**Destination**Source H M M | | KU Compare a KR a D EKR [H(M)] a H E (c) M M H | | E D Compare KUa KRa K K EK[M||EKR [H(M)]] a EKR H(M) H E D a (d) Hash (cont’d) CSE 5349/7349**Destination**Source M M | | s | | H Compare H(M||S) s | | H (e) M M | | E D s | | H Compare K K EK[M||H(M||S)] s H(M||S) | | H (f) Hash (cont’d) CSE 5349/7349**Hash Function Requirements**• H can be applied to any size data block • H produces fixed length output • H is fast • H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x) CSE 5349/7349**Hash Requirements (cont’d)**• H is weakly collision resistant: given x, it is computationally infeasible to find any x’ s.t. H(x) = H(x’) • H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y) CSE 5349/7349**Hash Requirements (cont’d)**• One-way property is essential for authentication • Weak collision resistance is necessary to prevent forgery • Strong collision resistance is important for resistance to birthday attack CSE 5349/7349**Birthday Attack**• Let H have m-bit output. What is the value of k s.t. if H is applied to k random inputs, a duplicate is likely? • Approximately 2m/2 • Comes from the B’day paradox • Given a room with k people, what is the probability that two of them have the same birthday (same month and day, assume no twins, etc) CSE 5349/7349**Birthday Attack (cont’d)**• If the adversary can generate 2m/2 variants of a valid message and an equal number of fraudulent messages • The two sets are compared to find one message from each set with a common hash value • The valid message is offered for signature • The fraudulent message with the same hash value is inserted in its place • Moral – length of hash code should be substantial CSE 5349/7349**Security of Hash Functions**• Brute force attack on n-bit output to find collisions • One-way and weak collision require O(2n) effort • Strong collision requires O(2n/2) effort CSE 5349/7349**Cryptanalysis of Hash Functions**• General model of hash functions • Staged compression function f • L stages, Y0, Y1, …, YL-1 • b input bits, n output bits per stage • initialization value • chaining variable • CV0 = IV • CVi = f(Cvi-1, Yi-1) • H(M = Y0Y1…YL-1) = CVL CSE 5349/7349**Cryptanalysis of Hash Functions**• Collision resistance in the compression function results in collision resistance in the iterated hash function • This narrows the problem of finding a collision resistant hash function to that of finding a collision resistant compression function CSE 5349/7349**Hash Algorithms**CSE 5349/49**Popular Algorithms**CSE 5349/7349**MD5**• Message digest algorithm developed by Ron Rivest • Algorithm takes a message of arbitrary length and produces a 128-bit digest • The resulting digest is the unique “fingerprint” of the original message CSE 5349/7349**Padding**• Message is padded so that its length in bits is congruent to 448 modulo 512 • Length of padded message is 64 bits less than an integer multiple of 512 bits • Padding is always added even if the message is the desired length • Padding consists of a single 1 bit followed by 0 bits CSE 5349/7349**Append Length**• A 64 bit representation of the length in bits of the original message (before padding) is appended to the result of step 1 • If the original length is greater than 264, only the low-order 64 bits of the length are used • The length of the outcome of the first two steps is multiple of 512 bits CSE 5349/7349**Initialize MD buffer**• A 128-bit buffer is used to hold intermediate and final results of the hash function • Buffer can be represented as 4 32-bit registers (A,B,C,D) • As 32 bit strings the init values (in hex): • word A: 01 23 45 67 • word B: 89 AB CD EF • word C: FE DC BA 98 • word D: 76 54 32 10 CSE 5349/7349**HMD5 = 4-round compression function**message length Message 100…0 L X 512 bits 512 bits ... ... Block0 Block1 Blockn BlockL-1 512 128 HMD5 HMD5 HMD5 HMD5 MD buffer0 MD bufferL-1 MD buffern MD buffer1 128-bit digest CSE 5349/7349**Message Processing**• Message is processed in 512-bit blocks • Each block goes through a 4 round compression function • After all 512-bit blocks have been processed, the output from the compression function is the 128-bit digest CSE 5349/7349**128**Buffer q Block q B C D 32 A 512 Round 1 Round 2 Round 3 Round 4 + + + + 128 Buffer q +1 CSE 5349/7349**- Each round is 16 steps, this is an ex.of a single step**- The order in which a,b,c,d is used produces a circular right shift of one word for each step A B C D + g X[k] + T[i] + CLSs + A B C D CSE 5349/7349**g = primitive function**• X[k] = kth 32-bit word in one of the 512 bit blocks • T[i] = 232 x abs(sin(i)) • Round 1 • g(b,c,d) = (b AND c) OR (NOT b AND d) • k = 0...15 • i = 1...16 • Round 2 • g(b,c,d) = (b AND d) OR (c AND NOT d) • k = (1 + 5j)mod 16 where j = 1…16 • i = 17..32 CSE 5349/7349**Round 3**• g(b,c,d) = b XOR c XOR d • k = (5 + 3j)mod 16 where j = 1…16 • i = 33…48 • Round 4 • g(b,c,d) = c XOR (b OR NOT d) • k = 7j mod 16 where j = 1…16 • i = 49…64 CSE 5349/7349**SHA1 & RIPEMD**CSE 5349/49**Introduction**• Developed by NIST and published as FIP PUB 180 in 1993. • Revised version (SHA-1) issued as FIPS PUB 180-1 in 1995 • The algorithm takes as input a message with a maximum length of less than 264 bits and produces a 160-bit message digest. • The input is processed in 512-bit blocks. CSE 5349/7349**Message Extension**• The processing cycle consists of the following steps: • Append padding bits. • Append length. • Initialize MD buffer. • Process the plaintext message in 512 bit blocks. • Output the message digest for the plaintext message. CSE 5349/7349**Message Extension (cont’d)**• In SHA-1 padding is always added to the plaintext message regardless of its length. • First append a binary “1”, then as many binary “0”s as needed to make the padded message 64 bits short of a multiple of 512 bits. CSE 5349/7349**Append Length**• Finally, a block of 64 bits is appended to the message. • It contains the length of the original plaintext message prior to padding. • This is an unsigned integer with the most significant bit (MSB) first. CSE 5349/7349**Initialize MD Buffer**• A 160-bit buffer is used to hold intermediate and final results of the hash function. • It is represented as five 32-bit registers {A, B, C, D, E}. • The initial register value are: • A = 67452301 • B = EFCDAB89 • C = 98BACDFE • D = 10325476 • E = C3D2E1F0 CSE 5349/7349**Message Processing**• The core of the algorithm is the HSHA compression function that processes 512-bit blocks. CSE 5349/7349**Message Processing (cont’d)**• The compression function consists of four rounds. • Each round consists of 20 processing steps. • The four rounds have a similar structure but each uses a different primitive logical function f1, f2, f3, and f4. CSE 5349/7349**SHA-1Primitive Functions (ft)**CSE 5349/7349**SHA-1Truth Table for Function (ft)**CSE 5349/7349**SHA-1 Secure Hash Function512-bit Block Processing Function**• Each round takes as an input the current 512-bit block being processed Yq and the 160-bit buffer value {ABCDE} and updates the contents of the buffer. • Each round makes use of an additive constant Kt, where 0 ≤ t ≤ 79 indicates one of 80 processing steps across four rounds. CSE 5349/7349**Additive Constants**• The value for these in hex are: • For 0 ≤ t ≤ 19 • Kt = 5A827999 • For 20 ≤ t ≤ 39 • Kt = 6ED9EBA1 • For 40 ≤ t ≤ 59 • Kt = 8F1BBCDC • For 60 ≤ t ≤ 79 • Kt = CA62C1D6 CSE 5349/7349