message authentication n.
Skip this Video
Loading SlideShow in 5 Seconds..
Message Authentication PowerPoint Presentation
Download Presentation
Message Authentication

Loading in 2 Seconds...

  share
play fullscreen
1 / 73
Download Presentation

Message Authentication - PowerPoint PPT Presentation

barth
162 Views
Download Presentation

Message Authentication

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Message Authentication MAC and Hash CSE 5349/49

  2. Message Authentication • Verify that messages come from the alleged source, unaltered • Authentication requirements • Authentication functions CSE 5349/7349

  3. Authentication Requirements • Masquerade • Content modification • Insertion, deletion, transposition, modification of message contents • Sequence modification • Insertion, deletion, reordering of sequenced messages • Timing modification • Delay, replay • Repudiation • Denial of message transmission or receipt CSE 5349/7349

  4. Authentication Functions • Message encryption • Ciphertext itself serves as authenticator • Message authentication code • Public function combines message and secret key into fixed length value • Hash function • Public function maps message into fixed length value CSE 5349/7349

  5. M M E D EK(M) K K (a) Conventional encryption : confidentiality and authentication M M E D EKU (M) KR KU b b b (b) Public-key encryption : confidentiality Encryption for Authentication CSE 5349/7349

  6. EKR (M) EKR (M) EKR (M) KR KU KU KR KR KU b b a a a a a a a EKU [EKR (M)] a b Encryption for Authentication Destination M M E D (c) Public-key encryption : authentication and signature M M E D D E (d) Public-key encryption : confidentiality, authentication and signature CSE 5349/7349

  7. Destination Source M M C | | Compare K K C CK(M) Message Authentication CodeMAC CSE 5349/7349

  8. Source Destination M M C | | E D Compare K1 K2 K2 K1 EK [M||CK (M)] 2 1 CK (M) C 1 Message authentication and confidentiality; authentication tied to plaintext EK [M] 2 M E | | D M C K2 K2 K1 Compare K1 CK (EK [M]) C 1 2 Message authentication and confidentiality; authentication tied to ciphertext MAC (cont’d) CSE 5349/7349

  9. Message Authentication CodeMAC • Cryptographic checksum • Mixes message with (shared) secret key to produce a fixed size block • Assurances: • Message has not been altered • Message is from alleged sender • Message sequence is unaltered (requires internal sequencing) • MAC algorithm need not be reversible CSE 5349/7349

  10. Why Use MACs? • Why not just use encryption? • Clear-text stays clear • MAC might be cheaper • Broadcast • Authentication of executables • Architectural flexibility • Separation of authentication check from message use • Prolong the period of protection CSE 5349/7349

  11. Time = 1 Time = 2 Time = N – 1 Time = N D1 (64 bits) D2 DN – 1 DN + + + DES encrypt DES encrypt DES encrypt DES encrypt • • • K (56 bits) K K K O1 (64 bits) O2 ON – 1 ON DAC (16 to 64 bits) DES-Based MAC CSE 5349/7349

  12. MAC Requirements • Given M and Ck(M), it must be computationally infeasible to construct M’ s.t. Ck(M) = Ck(M’) • For any M and M’, Pr[Ck(M) = Ck(M’)] should be 2-n, where n is the length of the MAC • Let M’ be equal to some known transformation on M. Then, Pr[Ck(M) = Ck(M’)] = 2-n. CSE 5349/7349

  13. Attacks on MACs • Let k = key length, n = MAC length • If k > n • Brute force gives 2(k-n) candidate keys • Second round (new C and M) reduces this to 2(k-2n) candidate keys • On average, this requires k/n rounds CSE 5349/7349

  14. Attacks on MACs • If k  n, one round should suffice • Other attacks are possible, depending on the MAC algorithm • E.g., suppose Ck(M) = DES(k, X1  X2  ... Xm) • Replace Xi by Yi for i < m • Calculate Ym to produce the right checksum • Ym = Y1  Y2  ... Ym-1 X1  X2  ... Xm CSE 5349/7349

  15. One-way Hash Functions • Converts a variable size message M into fixed size hash code H(M) • Can be used with encryption for authentication • E(M || H) • M || E(H) • M || signed H • E( M || signed H ) gives confidentiality • M || H( M || K ) • E( M || H( M || K ) ) CSE 5349/7349

  16. Destination Source M M H | | E D Compare K K EK[M||H(M)] H(M) H (a) H M M | | K Compare K D EK[H(M)] H E (b) Hash (cont’d) CSE 5349/7349

  17. Destination Source H M M | | KU Compare a KR a D EKR [H(M)] a H E (c) M M H | | E D Compare KUa KRa K K EK[M||EKR [H(M)]] a EKR H(M) H E D a (d) Hash (cont’d) CSE 5349/7349

  18. Destination Source M M | | s | | H Compare H(M||S) s | | H (e) M M | | E D s | | H Compare K K EK[M||H(M||S)] s H(M||S) | | H (f) Hash (cont’d) CSE 5349/7349

  19. Hash Function Requirements • H can be applied to any size data block • H produces fixed length output • H is fast • H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x) CSE 5349/7349

  20. Hash Requirements (cont’d) • H is weakly collision resistant: given x, it is computationally infeasible to find any x’ s.t. H(x) = H(x’) • H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y) CSE 5349/7349

  21. Hash Requirements (cont’d) • One-way property is essential for authentication • Weak collision resistance is necessary to prevent forgery • Strong collision resistance is important for resistance to birthday attack CSE 5349/7349

  22. Birthday Attack • Let H have m-bit output. What is the value of k s.t. if H is applied to k random inputs, a duplicate is likely? • Approximately 2m/2 • Comes from the B’day paradox • Given a room with k people, what is the probability that two of them have the same birthday (same month and day, assume no twins, etc) CSE 5349/7349

  23. Birthday Attack (cont’d) • If the adversary can generate 2m/2 variants of a valid message and an equal number of fraudulent messages • The two sets are compared to find one message from each set with a common hash value • The valid message is offered for signature • The fraudulent message with the same hash value is inserted in its place • Moral – length of hash code should be substantial CSE 5349/7349

  24. Security of Hash Functions • Brute force attack on n-bit output to find collisions • One-way and weak collision require O(2n) effort • Strong collision requires O(2n/2) effort CSE 5349/7349

  25. Cryptanalysis of Hash Functions • General model of hash functions • Staged compression function f • L stages, Y0, Y1, …, YL-1 • b input bits, n output bits per stage • initialization value • chaining variable • CV0 = IV • CVi = f(Cvi-1, Yi-1) • H(M = Y0Y1…YL-1) = CVL CSE 5349/7349

  26. Cryptanalysis of Hash Functions • Collision resistance in the compression function results in collision resistance in the iterated hash function • This narrows the problem of finding a collision resistant hash function to that of finding a collision resistant compression function CSE 5349/7349

  27. Hash Algorithms CSE 5349/49

  28. Popular Algorithms CSE 5349/7349

  29. MD5 • Message digest algorithm developed by Ron Rivest • Algorithm takes a message of arbitrary length and produces a 128-bit digest • The resulting digest is the unique “fingerprint” of the original message CSE 5349/7349

  30. Padding • Message is padded so that its length in bits is congruent to 448 modulo 512 • Length of padded message is 64 bits less than an integer multiple of 512 bits • Padding is always added even if the message is the desired length • Padding consists of a single 1 bit followed by 0 bits CSE 5349/7349

  31. Append Length • A 64 bit representation of the length in bits of the original message (before padding) is appended to the result of step 1 • If the original length is greater than 264, only the low-order 64 bits of the length are used • The length of the outcome of the first two steps is multiple of 512 bits CSE 5349/7349

  32. Initialize MD buffer • A 128-bit buffer is used to hold intermediate and final results of the hash function • Buffer can be represented as 4 32-bit registers (A,B,C,D) • As 32 bit strings the init values (in hex): • word A: 01 23 45 67 • word B: 89 AB CD EF • word C: FE DC BA 98 • word D: 76 54 32 10 CSE 5349/7349

  33. HMD5 = 4-round compression function message length Message 100…0 L X 512 bits 512 bits ... ... Block0 Block1 Blockn BlockL-1 512 128 HMD5 HMD5 HMD5 HMD5 MD buffer0 MD bufferL-1 MD buffern MD buffer1 128-bit digest CSE 5349/7349

  34. Message Processing • Message is processed in 512-bit blocks • Each block goes through a 4 round compression function • After all 512-bit blocks have been processed, the output from the compression function is the 128-bit digest CSE 5349/7349

  35. 128 Buffer q Block q B C D 32 A 512 Round 1 Round 2 Round 3 Round 4 + + + + 128 Buffer q +1 CSE 5349/7349

  36. - Each round is 16 steps, this is an ex.of a single step - The order in which a,b,c,d is used produces a circular right shift of one word for each step A B C D + g X[k] + T[i] + CLSs + A B C D CSE 5349/7349

  37. g = primitive function • X[k] = kth 32-bit word in one of the 512 bit blocks • T[i] = 232 x abs(sin(i)) • Round 1 • g(b,c,d) = (b AND c) OR (NOT b AND d) • k = 0...15 • i = 1...16 • Round 2 • g(b,c,d) = (b AND d) OR (c AND NOT d) • k = (1 + 5j)mod 16 where j = 1…16 • i = 17..32 CSE 5349/7349

  38. Round 3 • g(b,c,d) = b XOR c XOR d • k = (5 + 3j)mod 16 where j = 1…16 • i = 33…48 • Round 4 • g(b,c,d) = c XOR (b OR NOT d) • k = 7j mod 16 where j = 1…16 • i = 49…64 CSE 5349/7349

  39. SHA1 & RIPEMD CSE 5349/49

  40. Introduction • Developed by NIST and published as FIP PUB 180 in 1993. • Revised version (SHA-1) issued as FIPS PUB 180-1 in 1995 • The algorithm takes as input a message with a maximum length of less than 264 bits and produces a 160-bit message digest. • The input is processed in 512-bit blocks. CSE 5349/7349

  41. Message Extension • The processing cycle consists of the following steps: • Append padding bits. • Append length. • Initialize MD buffer. • Process the plaintext message in 512 bit blocks. • Output the message digest for the plaintext message. CSE 5349/7349

  42. Message Extension (cont’d) • In SHA-1 padding is always added to the plaintext message regardless of its length. • First append a binary “1”, then as many binary “0”s as needed to make the padded message 64 bits short of a multiple of 512 bits. CSE 5349/7349

  43. Append Length • Finally, a block of 64 bits is appended to the message. • It contains the length of the original plaintext message prior to padding. • This is an unsigned integer with the most significant bit (MSB) first. CSE 5349/7349

  44. Initialize MD Buffer • A 160-bit buffer is used to hold intermediate and final results of the hash function. • It is represented as five 32-bit registers {A, B, C, D, E}. • The initial register value are: • A = 67452301 • B = EFCDAB89 • C = 98BACDFE • D = 10325476 • E = C3D2E1F0 CSE 5349/7349

  45. Message Processing • The core of the algorithm is the HSHA compression function that processes 512-bit blocks. CSE 5349/7349

  46. Message Processing (cont’d) • The compression function consists of four rounds. • Each round consists of 20 processing steps. • The four rounds have a similar structure but each uses a different primitive logical function f1, f2, f3, and f4. CSE 5349/7349

  47. SHA-1Primitive Functions (ft) CSE 5349/7349

  48. SHA-1Truth Table for Function (ft) CSE 5349/7349

  49. SHA-1 Secure Hash Function512-bit Block Processing Function • Each round takes as an input the current 512-bit block being processed Yq and the 160-bit buffer value {ABCDE} and updates the contents of the buffer. • Each round makes use of an additive constant Kt, where 0 ≤ t ≤ 79 indicates one of 80 processing steps across four rounds. CSE 5349/7349

  50. Additive Constants • The value for these in hex are: • For 0 ≤ t ≤ 19 • Kt = 5A827999 • For 20 ≤ t ≤ 39 • Kt = 6ED9EBA1 • For 40 ≤ t ≤ 59 • Kt = 8F1BBCDC • For 60 ≤ t ≤ 79 • Kt = CA62C1D6 CSE 5349/7349