1 / 51

Lecture 04 Message Authentication and Hash Functions

Lecture 04 Message Authentication and Hash Functions. Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th. Outline. Authentication Requirements Authentication Functions Hash and MAC Algorithms. What is Authentication?.

decker
Download Presentation

Lecture 04 Message Authentication and Hash Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 04Message Authentication and Hash Functions Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th

  2. NETE0519-ITEC4614 Outline • Authentication Requirements • Authentication Functions • Hash and MAC Algorithms

  3. NETE0519-ITEC4614 What is Authentication? • A procedure to verify that received messages come from the alleged sourced and have not been altered. • Digital Signature is one of the techniques including countermeasure of repudiation by either source or destination.

  4. NETE0519-ITEC4614 Authentication Requirements • Possible attacks • Disclosure • Traffic Analysis • Masquerade • Content Modification • Sequence Modification • Timing Modification • Repudiation: source and destination repudiation • Attacks#1-2-> Confidentiality • Attacks#3-7 -> Authentication • Especially #7 is related to Digital Signature

  5. NETE0519-ITEC4614 Authentication Functions • 3 Types of cryptographic operations related to authentication: • Message Encryption • Message Authentication Code (MAC) • Hash Function

  6. NETE0519-ITEC4614 Message Encryption • Conventional Encryption

  7. NETE0519-ITEC4614 Conventional Encryption (cont.) • Conventional encryption provides a weak form of authentication • If Bob can recover a message encrypted with a shared key between Alice and Bob, Bob knows that Alice sent this message. • If the message has been altered, Bob would not be able to read it.

  8. NETE0519-ITEC4614 Message Encryption (cont.) • Public-key Encryption

  9. NETE0519-ITEC4614 Confidentiality and Authentication Implications of Message Encryption

  10. NETE0519-ITEC4614 Confidentiality and Authentication Implications of Msg Encryption (cont.)

  11. NETE0519-ITEC4614 Message Authentication Codes (MACs) • MAC involves the use of a secret key to generate a small fixed-size block of data. • A MAC is known as a cryptographic checksum: MAC = CK(M) where M is a variable-length message, K is a secret key shared between sender and receiver, and CK is fixed-length authenticator • MAC is appended to the message and sent over to receiver.

  12. NETE0519-ITEC4614 Message Authentication Code • MAC is irreversible, but encryption isn’t. 1. Alice and Bob share the secret K1. 2. Alice calculates MAC1 = CK1(M) AliceBob: {M, MAC1} 3. Bob calculates MAC2 = CK1(M) If MAC2 = MAC1, M is sent from Alice and not altered • Confidentiality can be provided by encryption with another shared key. AliceBob: {M, MAC1}K2

  13. NETE0519-ITEC4614 Requirements for MACs • If an opponent observes M and CK(M), it should be computationally infeasible to construct M’ such that CK(M’) = CK(M). • CK(M) should be uniformly distributed in the sense that for randomly chosen messages, M and M’, the probability that CK(M) = CK(M’) is 2-n, where n is the number of bits in the MAC. • Let M’ be equal to some known transformation on M. That is, M’ = f(M). E.g. f may involve inverting one or more specific bits. In that case, Pr[CK(M) = CK(M’)] = 2-n.

  14. NETE0519-ITEC4614 Using Symmetric Ciphers for MACs • can use any block cipher chaining mode and use final block as a MAC • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC • using IV=0 and zero-pad of final block • encrypt message using DES in CBC mode • and send just the final block as the MAC • or the leftmost M bits (16≤M≤64) of final block • but final MAC is now too small for security

  15. NETE0519-ITEC4614 Data Authentication Algorithm

  16. NETE0519-ITEC4614 Hash Functions • A (one-way) hash function accepts a variable-size message M as input and produces a fixed-size hash code H(M) as output (called Message Digest) • Hash code provides error detection -> a change in one bit of message results in a change to the hash code.

  17. NETE0519-ITEC4614 Requirements for a Hash Functions • H can be applied to a block of data of any size. • H produces a fixed-length output. • It is easy to compute H(x) from any given x. • For any given h, computationally infeasible to find x, where H(x) = h (“one-way property”) • For any x, computationally infeasible to find y, y≠x, H(y) = H(x) (“weak collision resistance”) • Computationally infeasible to find any pair of (x, y) such than H(x) = H(y) (“strong collision resistance”)

  18. NETE0519-ITEC4614 Simple Hash Function • Bit-by-bit exclusive-OR (XOR) Ci = bi1 bi2  …  bim where Ci = ith bit of the hash code, 1 ≤ i ≤ n m = no. of n-bit blocks in the input bij = ith bit in jth block  = XOR operation

  19. NETE0519-ITEC4614 Basic Uses of Hash Functions Digital Signature

  20. NETE0519-ITEC4614 Basic Uses of Hash Functions (cont.) S is shared btw sender and receiver

  21. NETE0519-ITEC4614 Hash and MAC Algorithms • Hash Functions • condense arbitrary size message to fixed size • by processing message in blocks • through some compression function • either custom or block cipher based • Message Authentication Code (MAC) • fixed sized authenticator for some message • to provide authentication for message • by using block cipher mode or hash function

  22. NETE0519-ITEC4614 Roadmap • Authentication Requirements • Authentication Functions • Hash and MAC Algorithms • MD5 • SHA-1 • HMAC

  23. NETE0519-ITEC4614 General Structure of Hash Function f: compression function taking two inputs and producing n-bit output CV0 = IV = initial n-bit value CVi = f(CVi-1, Yi-1), 1 ≤ i ≤ L H(M) = CVL

  24. NETE0519-ITEC4614 MD5 Message Digest Algorithm

  25. NETE0519-ITEC4614 MD5 Steps • Appendpadding bits: up to 64 bits less than multiple of 512 bits • Append length: 64-bit representation of the length in bits. If message is longer than 264 bits, only low-order 64 bits of the length are used. • Message length = K mod 264. K is the message represented in decimal number. • The message is represented as a sequence of 512-bit blocks Y0, Y1, …, YL-1 • So, we have L blocks of 512 bits • Each block is divided into 16 32-bit words. • Total number of words in the message is N represented by M[0,…, N-1] N = L x 16

  26. NETE0519-ITEC4614 MD5 Steps (cont.) 3. Initialize MD buffer • The buffer is represented as 4 32-bit registers (A, B, C, D) • Initialization value (in HEX) A: 01 23 45 67 (32 bits) B: 89 AB CD EF C: FE DC BA 98 D: 76 54 32 10

  27. NETE0519-ITEC4614 MD5 Steps (cont.) 4. Process message in 512-bit (16-word) blocks

  28. NETE0519-ITEC4614

  29. NETE0519-ITEC4614 MD5 Steps (cont.) 5. Output CV0 = IV CVq+1 = SUM32(CVq,RFI[Yq,RFH[Yq,RFG[Yq,RFF[Yq,CVq]]]]) MD = CVL IV = initial value of ABCD buffer Yq = the qth 512-bit block of the message L = the number of blocks in the message CVq = chaining variable processed with qth message block RFx = round function using primitive function x MD = final message digest value SUM32 = Addition modulo 232 performed separately on each word of the pair of inputs

  30. NETE0519-ITEC4614 MD5 Compression Function S-bit circular left shift Addition modulo

  31. NETE0519-ITEC4614 MD5 Compression Function (cont.) • Each step is in the form: a <- b + ((a + g(b,c,d)) + X[k] + T[i] <<< s) a,b,c,d = four words of the buffer g = one of the primitive functions F,G,H,I <<<s = s-bit circular left shift X[k] = M[q x 16 + k] = the kth 32-bit word in the qth 512-bit-block of the message T[i] = the ith 32-bit word in matrix T + = addition modulo 232

  32. NETE0519-ITEC4614 MD5 Update Algorithm L = N/16 1 block = 16 words

  33. NETE0519-ITEC4614 SHA-1 • MD5 accepts arbitrary length of input and produces 128-bit output. • SHA-1 accepts arbitrary length (less than 264 bits) of input and produces 160-bit output.

  34. NETE0519-ITEC4614 SHA-1 Steps • Append padding bits to 64 bits less than multiple of 512 bit (length  448 mod 512) • Append length: length of original message in binary (64 bits) • Initialize MD buffer (160 bits) Initialization value A: 67 45 23 01 B: EF CD AB 89 C: 98 BA DC FE D: 10 32 54 76 E: C3 D2 E1 F0

  35. NETE0519-ITEC4614 SHA-1 Steps (cont.) 4. Process message in 512-bit (16-word) blocks: for each 512-bit message to be processed, • 4 rounds, 20 steps each (compared to 16 steps each in MD5) • So, 80 steps for 4 rounds

  36. NETE0519-ITEC4614 SHA-1 Steps (cont.)

  37. NETE0519-ITEC4614 SHA-1 Steps (cont.) 5. Output • After all 512-bit blocks have been processed, the output from Lth stage is the 160-bit message digest. CV0 = IV CVq+1 = SUM32(CVq, ABCDEq) IV = initial value of ABCDE buffer ABCDEq = the output of the last round of processing of the qth message blocks L = no. of message blocks SUM32 = Addition modulo 232

  38. NETE0519-ITEC4614 SHA-1 Compression Function • In each of the 80 rounds of processing one 512-bit message block A,B,C,D,E <- (E + f(t, B, C, D) + S5(A)+ Wt + Kt), A, S30(B), C, D A,B,C,D,E = words of the buffer t = step number, 0 ≤ t ≤ 79 f(t,B,C,D) = primitive function for step t Sk = k-bit circular shift of the 32-bit argument Wt = a 32-bit word derived from the current 512-bit input block Kt = an additive constant for step t + = addition modulo 232

  39. NETE0519-ITEC4614 SHA-1 Compression Function (cont.)

  40. NETE0519-ITEC4614 SHA-1 Compression Function (cont.) Wt = S1(Wt-16 Wt-14  Wt-8  Wt-3)

  41. NETE0519-ITEC4614 SHA-1 VS MD5 • Security against brute-force attacks • Length of SHA-1 output is longer than that of MD5 • Security against cryptanalysis • Both MD5 and SHA-1 are reported collision • Speed • SHA-1 is slower than MD5  80 versus 64 steps each round • Simplicity and compactness • Both are simple

  42. NETE0519-ITEC4614 SHA-2 and SHA-3 • NIST issued revision FIPS 180-2 in 2002 • adds 3 additional versions of SHA • SHA-256, SHA-384, SHA-512 • designed for compatibility with increased security provided by the AES cipher • structure & detail is similar to SHA-1 • hence analysis should be similar • but security levels are rather higher • Now Keccak was named as SHA-3. It is not to replace SHA-2

  43. NETE0519-ITEC4614 SHA-512 Overview

  44. NETE0519-ITEC4614 Keyed Hash Functions as MACs • want a MAC based on a hash function • because hash functions are generally faster • code for crypto hash functions widely available • hash includes a key along with message • original proposal: KeyedHash = Hash(Key|Message) • some weaknesses were found with this • eventually led to development of HMAC

  45. NETE0519-ITEC4614 HMAC (Hashed MAC) • A MAC based on a cryptographic hash code • Motivations: • Executing a hash function faster than a symmetric encryption • Library code for hash functions is widely available. • No export restrictions from the US to other countries

  46. NETE0519-ITEC4614 HMAC • specified as Internet standard RFC2104 • uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] • where K+ is the key padded out to size • and opad, ipad are specified padding constants • overhead is just 3 more hash calculations than the message needs alone • any hash function can be used • eg. MD5, SHA-1, RIPEMD-160, Whirlpool

  47. NETE0519-ITEC4614 HMAC Algorithm H = hash function M = Message Yi = ith block of M, 0 ≤ i ≤ L-1 L = no. of blocks in M b = no. of bits in a block (based on chosen hash fn) n = length of hash code K = secret key K+ = K padded with zeros on the left so that the length is b bits ipad = 00110110 repeated b/8 times opad = 01011010 repeated b/8 times HMACK = H[(K+ opad)||H[(K+  ipad)||M]]

  48. NETE0519-ITEC4614 Advantages of HMAC • Existing hash function can be implemented in HMAC • Easy to replace with more secure or updated hash algorithm • HMAC is proven more secure than hash algorithms

  49. NETE0519-ITEC4614 HMAC Security • proved security of HMAC relates to that of the underlying hash algorithm • attacking HMAC requires either: • brute force attack on key used • birthday attack (but since keyed would need to observe a very large number of messages) • choose hash function used based on speed verses security constraints

  50. Questions?

More Related