1 / 32

Authentication & MD5

Authentication & MD5. Jen-Chang Liu, Fall 2005 Adapted from l ecture slides by Lawrie Brown. Model for Network Security. Type of attacks. disclosure traffic analysis m asquerade 偽裝 content modification sequence modification Insertion, deletion, reordering timing modification

kingmark
Download Presentation

Authentication & MD5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication & MD5 Jen-Chang Liu, Fall 2005 Adapted from lecture slides by Lawrie Brown

  2. Model for Network Security

  3. Type of attacks • disclosure • traffic analysis • masquerade偽裝 • content modification • sequence modification • Insertion, deletion, reordering • timing modification • Delay or replay of message • source repudiation • destination repudiation Message confidentiality => ciphers Message authentication =>Message encryption, Message auth. code, Hash function 不可否認發出訊息 Digital signature 不可否認收到訊息

  4. Outline • Message authentication • Message encryption • Message authentication code: MAC=Ck(M), k is a shared secret key, MAC is a fixed-length code • Hash function: h=H(M), h is a fixed-length code • MD5

  5. Message Authentication • message authentication is concerned with: • protecting the integrity of a message • validating identity of originator • non-repudiation of origin (dispute resolution) • Two-level approach • Produce an authenticator: a value to be used to authenticate a message • Authentication protocol 訊息 來源 來源不可否認發出訊息

  6. Message Encryption • The ciphertext of the message serves as its authenticator • symmetric encryption is used: * A is the only party that possesses K * Y=DK(X), How to verify that Y is legitimate plaintext? Source: text file Source: binary file, such as compressed file, …

  7. Symmetric encryption for authentication • Constraint: the plaintext have some well-formed structure • Example 1: frame check sequence (FCS) Error detection code Frame check sequence Hash function

  8. Symmetric encryption for authentication (cont.) • Example 2: TCP header encrypted

  9. Only A has private key, M must be well-formed Public-keyencryption for authentication A B Anyone can access public key – no authentication confidentiality authentication Confidentiality +authentication

  10. Outline • Message authentication • Message encryption • Message authentication code: MAC=Ck(M), k is a shared secret key, MAC is a fixed-length code • Hash function: h=H(M), h is a fixed-length code • MD5

  11. Message Authentication Code (MAC) • MAC is a cryptographic checksumMAC=CK(M) • condenses a variable-length message M • using a secret key K • to a fixed-sized authenticator

  12. Message Authentication Codes (cont.) • why use a MAC instead of message encryption? • Sometimes only authentication is needed • Ex. Broadcast of shut down message, check MAC is cheaper • Ex. The receiver side cannot afford time to decrypt • Ex. Authentication of a program in plaintext • Separation of authentication and confidentiality • Sometimes need authentication to persist longer than the encryption (eg. archival use) • note that a MAC is not a digital signature • Both sender and receiver share the same key

  13. Using Symmetric Ciphers for MACs • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC • using IV=0 and zero-pad of final block • encrypt message using DES in CBC mode • and send just the final block as the MAC • or the leftmost M bits (16≤M≤64) of final block IV=0 + Cipher block chaining

  14. Message + MAC with confidentiality

  15. Outline • Message authentication • Message encryption • Message authentication code: MAC=Ck(M), k is a shared secret key, MAC is a fixed-length code • Hash function: h=H(M), h is a fixed-length code • MD5

  16. Hash Functions • Hash function: h=H(M), h is a fixed-length code • Also called as message digest or hash value • usually assume that the hash function is public and not keyed. cf. MAC which is keyed • hashis used to detect changes to message • can use in various ways with message, most often to create a digital signature

  17. Hash functions & symmetric encryption Hash code provide a structure for the message In fact, a MAC code

  18. Hash functions & public-key encryptions User B User A In fact, a digital signature confidentiality

  19. Hash functions & a shared secret value S Advantage: no encryption is necessary confidentiality

  20. Requirements for Hash Functions • is easy to compute h=H(M) for any message M • can be applied to any sized message M • produces fixed-length output h • given h is infeasible to find x s.t. H(x)=h • one-way property • Important if a secret value is hashed. h = H(M || S) • given x is infeasible to find y s.t. H(y)=H(x) • weak collision resistance • Prevent forgery • is infeasible to find any x,y s.t. H(y)=H(x) • strong collision resistance

  21. Simple Hash Functions • based on XOR of message blocks XOR * Too simple to fit the security requirements

  22. Hash Algorithms • see similarities in the evolution of hash functions & block ciphers • increasing power of brute-force attacks • leading to evolution in algorithms • from DES to AES in block ciphers • from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash algorithms • likewise tend to use common iterative structure as do block ciphers

  23. MD5 (Message Digest) • designed by Ronald Rivest (the R in RSA) • latest in a series of MD2, MD4 • produces a 128-bit hash value • until recently was the most widely used hash algorithm • in recent times have both brute-force & cryptanalytic concerns • specified as Internet standard RFC1321

  24. MD5 Overview • pad message so its length is 448 mod 512 • append a 64-bit length value to message • initialise 4-word (128-bit) MD buffer (A,B,C,D) • process message in 16-word (512-bit) blocks: • using 4 rounds of 16-step operations on message block & buffer • add output to buffer input to form new buffer value • output hash value is the final buffer value

  25. always

  26. HMD5

  27. T[i]=232 abs(sin(i)) [32 bits or 1 word]

  28. MD5 Compression Function (1 step) 32 bits 32 bits 32 bits 32 bits 32 bits from 512-bits block Random 32 bits Circular left shift

  29. Round functions * Bitwise logical operations

  30. HMD5

  31. Strength of MD5 • MD5 hash is dependent on all message bits • Rivest claims security is good as can be • Case 1: find M1 and M2 • Case 2: find a message with given MD M1 128-bit MD 128-bit MD M2 264 operations 2128 operations

  32. Strength of MD5 (cont.) • known attacks are: • Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend) • Boer & Bosselaers 93 found a pseudo collision (different ABCD buffers, same output) in single block (again unable to extend) • Dobbertin 96 created collisions(different 512-bit blocks, same output) in single block (but initial constants prevent exploit) • conclusion is that MD5 looks vulnerable soon

More Related