730 likes | 772 Vues
Understand the importance of message authentication codes (MACs), authentication functions, and their requirements in ensuring message integrity, source verification, and prevention of unauthorized message modifications. Explore the use of MACs for encryption and authentication, attacks on MACs, and the role of hash functions in data integrity. Learn about hash function requirements and their significance in authentication and data security.
 
                
                E N D
Message Authentication MAC and Hash CSE 5349/49
Message Authentication • Verify that messages come from the alleged source, unaltered • Authentication requirements • Authentication functions CSE 5349/7349
Authentication Requirements • Masquerade • Content modification • Insertion, deletion, transposition, modification of message contents • Sequence modification • Insertion, deletion, reordering of sequenced messages • Timing modification • Delay, replay • Repudiation • Denial of message transmission or receipt CSE 5349/7349
Authentication Functions • Message encryption • Ciphertext itself serves as authenticator • Message authentication code • Public function combines message and secret key into fixed length value • Hash function • Public function maps message into fixed length value CSE 5349/7349
M M E D EK(M) K K (a) Conventional encryption : confidentiality and authentication M M E D EKU (M) KR KU b b b (b) Public-key encryption : confidentiality Encryption for Authentication CSE 5349/7349
EKR (M) EKR (M) EKR (M) KR KU KU KR KR KU b b a a a a a a a EKU [EKR (M)] a b Encryption for Authentication Destination M M E D (c) Public-key encryption : authentication and signature M M E D D E (d) Public-key encryption : confidentiality, authentication and signature CSE 5349/7349
Destination Source M M C | | Compare K K C CK(M) Message Authentication CodeMAC CSE 5349/7349
Source Destination M M C | | E D Compare K1 K2 K2 K1 EK [M||CK (M)] 2 1 CK (M) C 1 Message authentication and confidentiality; authentication tied to plaintext EK [M] 2 M E | | D M C K2 K2 K1 Compare K1 CK (EK [M]) C 1 2 Message authentication and confidentiality; authentication tied to ciphertext MAC (cont’d) CSE 5349/7349
Message Authentication CodeMAC • Cryptographic checksum • Mixes message with (shared) secret key to produce a fixed size block • Assurances: • Message has not been altered • Message is from alleged sender • Message sequence is unaltered (requires internal sequencing) • MAC algorithm need not be reversible CSE 5349/7349
Why Use MACs? • Why not just use encryption? • Clear-text stays clear • MAC might be cheaper • Broadcast • Authentication of executables • Architectural flexibility • Separation of authentication check from message use • Prolong the period of protection CSE 5349/7349
Time = 1 Time = 2 Time = N – 1 Time = N D1 (64 bits) D2 DN – 1 DN + + + DES encrypt DES encrypt DES encrypt DES encrypt • • • K (56 bits) K K K O1 (64 bits) O2 ON – 1 ON DAC (16 to 64 bits) DES-Based MAC CSE 5349/7349
MAC Requirements • Given M and Ck(M), it must be computationally infeasible to construct M’ s.t. Ck(M) = Ck(M’) • For any M and M’, Pr[Ck(M) = Ck(M’)] should be 2-n, where n is the length of the MAC • Let M’ be equal to some known transformation on M. Then, Pr[Ck(M) = Ck(M’)] = 2-n. CSE 5349/7349
Attacks on MACs • Let k = key length, n = MAC length • If k > n • Brute force gives 2(k-n) candidate keys • Second round (new C and M) reduces this to 2(k-2n) candidate keys • On average, this requires k/n rounds CSE 5349/7349
Attacks on MACs • If k  n, one round should suffice • Other attacks are possible, depending on the MAC algorithm • E.g., suppose Ck(M) = DES(k, X1  X2  ... Xm) • Replace Xi by Yi for i < m • Calculate Ym to produce the right checksum • Ym = Y1  Y2  ... Ym-1 X1  X2  ... Xm CSE 5349/7349
One-way Hash Functions • Converts a variable size message M into fixed size hash code H(M) • Can be used with encryption for authentication • E(M || H) • M || E(H) • M || signed H • E( M || signed H ) gives confidentiality • M || H( M || K ) • E( M || H( M || K ) ) CSE 5349/7349
Destination Source M M H | | E D Compare K K EK[M||H(M)] H(M) H (a) H M M | | K Compare K D EK[H(M)] H E (b) Hash (cont’d) CSE 5349/7349
Destination Source H M M | | KU Compare a KR a D EKR [H(M)] a H E (c) M M H | | E D Compare KUa KRa K K EK[M||EKR [H(M)]] a EKR H(M) H E D a (d) Hash (cont’d) CSE 5349/7349
Destination Source M M | | s | | H Compare H(M||S) s | | H (e) M M | | E D s | | H Compare K K EK[M||H(M||S)] s H(M||S) | | H (f) Hash (cont’d) CSE 5349/7349
Hash Function Requirements • H can be applied to any size data block • H produces fixed length output • H is fast • H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x) CSE 5349/7349
Hash Requirements (cont’d) • H is weakly collision resistant: given x, it is computationally infeasible to find any x’ s.t. H(x) = H(x’) • H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y) CSE 5349/7349
Hash Requirements (cont’d) • One-way property is essential for authentication • Weak collision resistance is necessary to prevent forgery • Strong collision resistance is important for resistance to birthday attack CSE 5349/7349
Birthday Attack • Let H have m-bit output. What is the value of k s.t. if H is applied to k random inputs, a duplicate is likely? • Approximately 2m/2 • Comes from the B’day paradox • Given a room with k people, what is the probability that two of them have the same birthday (same month and day, assume no twins, etc) CSE 5349/7349
Birthday Attack (cont’d) • If the adversary can generate 2m/2 variants of a valid message and an equal number of fraudulent messages • The two sets are compared to find one message from each set with a common hash value • The valid message is offered for signature • The fraudulent message with the same hash value is inserted in its place • Moral – length of hash code should be substantial CSE 5349/7349
Security of Hash Functions • Brute force attack on n-bit output to find collisions • One-way and weak collision require O(2n) effort • Strong collision requires O(2n/2) effort CSE 5349/7349
Cryptanalysis of Hash Functions • General model of hash functions • Staged compression function f • L stages, Y0, Y1, …, YL-1 • b input bits, n output bits per stage • initialization value • chaining variable • CV0 = IV • CVi = f(Cvi-1, Yi-1) • H(M = Y0Y1…YL-1) = CVL CSE 5349/7349
Cryptanalysis of Hash Functions • Collision resistance in the compression function results in collision resistance in the iterated hash function • This narrows the problem of finding a collision resistant hash function to that of finding a collision resistant compression function CSE 5349/7349
Hash Algorithms CSE 5349/49
Popular Algorithms CSE 5349/7349
MD5 • Message digest algorithm developed by Ron Rivest • Algorithm takes a message of arbitrary length and produces a 128-bit digest • The resulting digest is the unique “fingerprint” of the original message CSE 5349/7349
Padding • Message is padded so that its length in bits is congruent to 448 modulo 512 • Length of padded message is 64 bits less than an integer multiple of 512 bits • Padding is always added even if the message is the desired length • Padding consists of a single 1 bit followed by 0 bits CSE 5349/7349
Append Length • A 64 bit representation of the length in bits of the original message (before padding) is appended to the result of step 1 • If the original length is greater than 264, only the low-order 64 bits of the length are used • The length of the outcome of the first two steps is multiple of 512 bits CSE 5349/7349
Initialize MD buffer • A 128-bit buffer is used to hold intermediate and final results of the hash function • Buffer can be represented as 4 32-bit registers (A,B,C,D) • As 32 bit strings the init values (in hex): • word A: 01 23 45 67 • word B: 89 AB CD EF • word C: FE DC BA 98 • word D: 76 54 32 10 CSE 5349/7349
HMD5 = 4-round compression function message length Message 100…0 L X 512 bits 512 bits ... ... Block0 Block1 Blockn BlockL-1 512 128 HMD5 HMD5 HMD5 HMD5 MD buffer0 MD bufferL-1 MD buffern MD buffer1 128-bit digest CSE 5349/7349
Message Processing • Message is processed in 512-bit blocks • Each block goes through a 4 round compression function • After all 512-bit blocks have been processed, the output from the compression function is the 128-bit digest CSE 5349/7349
128 Buffer q Block q B C D 32 A 512 Round 1 Round 2 Round 3 Round 4 + + + + 128 Buffer q +1 CSE 5349/7349
- Each round is 16 steps, this is an ex.of a single step - The order in which a,b,c,d is used produces a circular right shift of one word for each step A B C D + g X[k] + T[i] + CLSs + A B C D CSE 5349/7349
g = primitive function • X[k] = kth 32-bit word in one of the 512 bit blocks • T[i] = 232 x abs(sin(i)) • Round 1 • g(b,c,d) = (b AND c) OR (NOT b AND d) • k = 0...15 • i = 1...16 • Round 2 • g(b,c,d) = (b AND d) OR (c AND NOT d) • k = (1 + 5j)mod 16 where j = 1…16 • i = 17..32 CSE 5349/7349
Round 3 • g(b,c,d) = b XOR c XOR d • k = (5 + 3j)mod 16 where j = 1…16 • i = 33…48 • Round 4 • g(b,c,d) = c XOR (b OR NOT d) • k = 7j mod 16 where j = 1…16 • i = 49…64 CSE 5349/7349
SHA1 & RIPEMD CSE 5349/49
Introduction • Developed by NIST and published as FIP PUB 180 in 1993. • Revised version (SHA-1) issued as FIPS PUB 180-1 in 1995 • The algorithm takes as input a message with a maximum length of less than 264 bits and produces a 160-bit message digest. • The input is processed in 512-bit blocks. CSE 5349/7349
Message Extension • The processing cycle consists of the following steps: • Append padding bits. • Append length. • Initialize MD buffer. • Process the plaintext message in 512 bit blocks. • Output the message digest for the plaintext message. CSE 5349/7349
Message Extension (cont’d) • In SHA-1 padding is always added to the plaintext message regardless of its length. • First append a binary “1”, then as many binary “0”s as needed to make the padded message 64 bits short of a multiple of 512 bits. CSE 5349/7349
Append Length • Finally, a block of 64 bits is appended to the message. • It contains the length of the original plaintext message prior to padding. • This is an unsigned integer with the most significant bit (MSB) first. CSE 5349/7349
Initialize MD Buffer • A 160-bit buffer is used to hold intermediate and final results of the hash function. • It is represented as five 32-bit registers {A, B, C, D, E}. • The initial register value are: • A = 67452301 • B = EFCDAB89 • C = 98BACDFE • D = 10325476 • E = C3D2E1F0 CSE 5349/7349
Message Processing • The core of the algorithm is the HSHA compression function that processes 512-bit blocks. CSE 5349/7349
Message Processing (cont’d) • The compression function consists of four rounds. • Each round consists of 20 processing steps. • The four rounds have a similar structure but each uses a different primitive logical function f1, f2, f3, and f4. CSE 5349/7349
SHA-1Primitive Functions (ft) CSE 5349/7349
SHA-1Truth Table for Function (ft) CSE 5349/7349
SHA-1 Secure Hash Function512-bit Block Processing Function • Each round takes as an input the current 512-bit block being processed Yq and the 160-bit buffer value {ABCDE} and updates the contents of the buffer. • Each round makes use of an additive constant Kt, where 0 ≤ t ≤ 79 indicates one of 80 processing steps across four rounds. CSE 5349/7349
Additive Constants • The value for these in hex are: • For 0 ≤ t ≤ 19 • Kt = 5A827999 • For 20 ≤ t ≤ 39 • Kt = 6ED9EBA1 • For 40 ≤ t ≤ 59 • Kt = 8F1BBCDC • For 60 ≤ t ≤ 79 • Kt = CA62C1D6 CSE 5349/7349