Loading in 5 sec....

Lecture 04 Message Authentication and Hash FunctionsPowerPoint Presentation

Lecture 04 Message Authentication and Hash Functions

- 132 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Lecture 04 Message Authentication and Hash Functions' - decker

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Lecture 04Message Authentication and Hash Functions

Asst.Prof.Supakorn Kungpisdan, Ph.D.

Outline

- Authentication Requirements
- Authentication Functions
- Hash and MAC Algorithms

What is Authentication?

- A procedure to verify that received messages come from the alleged sourced and have not been altered.
- Digital Signature is one of the techniques including countermeasure of repudiation by either source or destination.

Authentication Requirements

- Possible attacks
- Disclosure
- Traffic Analysis
- Masquerade
- Content Modification
- Sequence Modification
- Timing Modification
- Repudiation: source and destination repudiation

- Attacks#1-2-> Confidentiality
- Attacks#3-7 -> Authentication
- Especially #7 is related to Digital Signature

Authentication Functions

- 3 Types of cryptographic operations related to authentication:
- Message Encryption
- Message Authentication Code (MAC)
- Hash Function

Conventional Encryption (cont.)

- Conventional encryption provides a weak form of authentication
- If Bob can recover a message encrypted with a shared key between Alice and Bob, Bob knows that Alice sent this message.
- If the message has been altered, Bob would not be able to read it.

Confidentiality and Authentication Implications of Message Encryption

Confidentiality and Authentication Implications of Msg Encryption (cont.)

Message Authentication Codes (MACs)

- MAC involves the use of a secret key to generate a small fixed-size block of data.
- A MAC is known as a cryptographic checksum:
MAC = CK(M)

where M is a variable-length message,

K is a secret key shared between sender and receiver, and

CK is fixed-length authenticator

- MAC is appended to the message and sent over to receiver.

Message Authentication Code

- MAC is irreversible, but encryption isn’t.
1. Alice and Bob share the secret K1.

2. Alice calculates MAC1 = CK1(M)

AliceBob: {M, MAC1}

3. Bob calculates MAC2 = CK1(M)

If MAC2 = MAC1, M is sent from Alice and not altered

- Confidentiality can be provided by encryption with another shared key.
AliceBob: {M, MAC1}K2

Requirements for MACs

- If an opponent observes M and CK(M), it should be computationally infeasible to construct M’ such that CK(M’) = CK(M).
- CK(M) should be uniformly distributed in the sense that for randomly chosen messages, M and M’, the probability that CK(M) = CK(M’) is 2-n, where n is the number of bits in the MAC.
- Let M’ be equal to some known transformation on M. That is, M’ = f(M). E.g. f may involve inverting one or more specific bits.
In that case, Pr[CK(M) = CK(M’)] = 2-n.

Using Symmetric Ciphers for MACs

- can use any block cipher chaining mode and use final block as a MAC
- Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC
- using IV=0 and zero-pad of final block
- encrypt message using DES in CBC mode
- and send just the final block as the MAC
- or the leftmost M bits (16≤M≤64) of final block

- but final MAC is now too small for security

Data Authentication Algorithm

Hash Functions

- A (one-way) hash function accepts a variable-size message M as input and produces a fixed-size hash code H(M) as output (called Message Digest)
- Hash code provides error detection -> a change in one bit of message results in a change to the hash code.

Requirements for a Hash Functions

- H can be applied to a block of data of any size.
- H produces a fixed-length output.
- It is easy to compute H(x) from any given x.
- For any given h, computationally infeasible to find x, where H(x) = h (“one-way property”)
- For any x, computationally infeasible to find y, y≠x, H(y) = H(x) (“weak collision resistance”)
- Computationally infeasible to find any pair of (x, y) such than H(x) = H(y) (“strong collision resistance”)

Simple Hash Function

- Bit-by-bit exclusive-OR (XOR)
Ci = bi1 bi2 … bim

where Ci = ith bit of the hash code, 1 ≤ i ≤ n

m = no. of n-bit blocks in the input

bij = ith bit in jth block

= XOR operation

Hash and MAC Algorithms

- Hash Functions
- condense arbitrary size message to fixed size
- by processing message in blocks
- through some compression function
- either custom or block cipher based

- Message Authentication Code (MAC)
- fixed sized authenticator for some message
- to provide authentication for message
- by using block cipher mode or hash function

Roadmap

- Authentication Requirements
- Authentication Functions
- Hash and MAC Algorithms
- MD5
- SHA-1
- HMAC

General Structure of Hash Function

f: compression function taking two inputs and producing n-bit output

CV0 = IV = initial n-bit value

CVi = f(CVi-1, Yi-1), 1 ≤ i ≤ L

H(M) = CVL

MD5 Message Digest Algorithm

MD5 Steps

- Appendpadding bits: up to 64 bits less than multiple of 512 bits
- Append length: 64-bit representation of the length in bits. If message is longer than 264 bits, only low-order 64 bits of the length are used.
- Message length = K mod 264. K is the message represented in decimal number.
- The message is represented as a sequence of 512-bit blocks Y0, Y1, …, YL-1
- So, we have L blocks of 512 bits
- Each block is divided into 16 32-bit words.
- Total number of words in the message is N represented by M[0,…, N-1]
N = L x 16

MD5 Steps (cont.)

3. Initialize MD buffer

- The buffer is represented as 4 32-bit registers (A, B, C, D)
- Initialization value (in HEX)
A: 01 23 45 67 (32 bits)

B: 89 AB CD EF

C: FE DC BA 98

D: 76 54 32 10

MD5 Steps (cont.)

5. Output

CV0 = IV

CVq+1 = SUM32(CVq,RFI[Yq,RFH[Yq,RFG[Yq,RFF[Yq,CVq]]]])

MD = CVL

IV = initial value of ABCD buffer

Yq = the qth 512-bit block of the message

L = the number of blocks in the message

CVq = chaining variable processed with qth message block

RFx = round function using primitive function x

MD = final message digest value

SUM32 = Addition modulo 232 performed separately on each word of the pair of inputs

MD5 Compression Function (cont.)

- Each step is in the form:
a <- b + ((a + g(b,c,d)) + X[k] + T[i] <<< s)

a,b,c,d = four words of the buffer

g = one of the primitive functions F,G,H,I

<<<s = s-bit circular left shift

X[k] = M[q x 16 + k] = the kth 32-bit word in the qth 512-bit-block of the message

T[i] = the ith 32-bit word in matrix T

+ = addition modulo 232

SHA-1

- MD5 accepts arbitrary length of input and produces 128-bit output.
- SHA-1 accepts arbitrary length (less than 264 bits) of input and produces 160-bit output.

SHA-1 Steps

- Append padding bits to 64 bits less than multiple of 512 bit (length 448 mod 512)
- Append length: length of original message in binary (64 bits)
- Initialize MD buffer (160 bits)
Initialization value

A: 67 45 23 01

B: EF CD AB 89

C: 98 BA DC FE

D: 10 32 54 76

E: C3 D2 E1 F0

SHA-1 Steps (cont.)

4. Process message in 512-bit (16-word) blocks: for each 512-bit message to be processed,

- 4 rounds, 20 steps each (compared to 16 steps each in MD5)
- So, 80 steps for 4 rounds

SHA-1 Steps (cont.)

SHA-1 Steps (cont.)

5. Output

- After all 512-bit blocks have been processed, the output from Lth stage is the 160-bit message digest.
CV0 = IV

CVq+1 = SUM32(CVq, ABCDEq)

IV = initial value of ABCDE buffer

ABCDEq = the output of the last round of processing of the qth message blocks

L = no. of message blocks

SUM32 = Addition modulo 232

SHA-1 Compression Function

- In each of the 80 rounds of processing one 512-bit message block
A,B,C,D,E <- (E + f(t, B, C, D) + S5(A)+ Wt + Kt), A, S30(B), C, D

A,B,C,D,E = words of the buffer

t = step number, 0 ≤ t ≤ 79

f(t,B,C,D) = primitive function for step t

Sk = k-bit circular shift of the 32-bit argument

Wt = a 32-bit word derived from the current 512-bit input block

Kt = an additive constant for step t

+ = addition modulo 232

SHA-1 Compression Function (cont.)

SHA-1 VS MD5

- Security against brute-force attacks
- Length of SHA-1 output is longer than that of MD5

- Security against cryptanalysis
- Both MD5 and SHA-1 are reported collision

- Speed
- SHA-1 is slower than MD5 80 versus 64 steps each round

- Simplicity and compactness
- Both are simple

SHA-2 and SHA-3

- NIST issued revision FIPS 180-2 in 2002
- adds 3 additional versions of SHA
- SHA-256, SHA-384, SHA-512

- designed for compatibility with increased security provided by the AES cipher
- structure & detail is similar to SHA-1
- hence analysis should be similar
- but security levels are rather higher
- Now Keccak was named as SHA-3. It is not to replace SHA-2

SHA-512 Overview

Keyed Hash Functions as MACs

- want a MAC based on a hash function
- because hash functions are generally faster
- code for crypto hash functions widely available

- hash includes a key along with message
- original proposal:
KeyedHash = Hash(Key|Message)

- some weaknesses were found with this

- eventually led to development of HMAC

HMAC (Hashed MAC)

- A MAC based on a cryptographic hash code
- Motivations:
- Executing a hash function faster than a symmetric encryption
- Library code for hash functions is widely available.
- No export restrictions from the US to other countries

HMAC

- specified as Internet standard RFC2104
- uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||

Hash[(K+ XOR ipad)||M)]]

- where K+ is the key padded out to size
- and opad, ipad are specified padding constants
- overhead is just 3 more hash calculations than the message needs alone
- any hash function can be used
- eg. MD5, SHA-1, RIPEMD-160, Whirlpool

HMAC Algorithm

H = hash function

M = Message

Yi = ith block of M, 0 ≤ i ≤ L-1

L = no. of blocks in M

b = no. of bits in a block (based on chosen hash fn)

n = length of hash code

K = secret key

K+ = K padded with zeros on the left so that the length is b bits

ipad = 00110110 repeated b/8 times

opad = 01011010 repeated b/8 times

HMACK = H[(K+ opad)||H[(K+ ipad)||M]]

Advantages of HMAC

- Existing hash function can be implemented in HMAC
- Easy to replace with more secure or updated hash algorithm
- HMAC is proven more secure than hash algorithms

HMAC Security

- proved security of HMAC relates to that of the underlying hash algorithm
- attacking HMAC requires either:
- brute force attack on key used
- birthday attack (but since keyed would need to observe a very large number of messages)

- choose hash function used based on speed verses security constraints

Quiz

- Describe the difference between hash functions and MACs in terms of security and their usages
- Can we product a MAC using:
2.1 symmetric encryption?

2.2 public-key encryption?

Then compare them with HMAC

Download Presentation

Connecting to Server..