1 / 73

Message Authentication

Message Authentication. MAC and Hash. Message Authentication. Verify that messages come from the alleged source, unaltered Authentication requirements Authentication functions. Authentication Requirements. Masquerade Content modification

barth
Télécharger la présentation

Message Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Message Authentication MAC and Hash CSE 5349/49

  2. Message Authentication • Verify that messages come from the alleged source, unaltered • Authentication requirements • Authentication functions CSE 5349/7349

  3. Authentication Requirements • Masquerade • Content modification • Insertion, deletion, transposition, modification of message contents • Sequence modification • Insertion, deletion, reordering of sequenced messages • Timing modification • Delay, replay • Repudiation • Denial of message transmission or receipt CSE 5349/7349

  4. Authentication Functions • Message encryption • Ciphertext itself serves as authenticator • Message authentication code • Public function combines message and secret key into fixed length value • Hash function • Public function maps message into fixed length value CSE 5349/7349

  5. M M E D EK(M) K K (a) Conventional encryption : confidentiality and authentication M M E D EKU (M) KR KU b b b (b) Public-key encryption : confidentiality Encryption for Authentication CSE 5349/7349

  6. EKR (M) EKR (M) EKR (M) KR KU KU KR KR KU b b a a a a a a a EKU [EKR (M)] a b Encryption for Authentication Destination M M E D (c) Public-key encryption : authentication and signature M M E D D E (d) Public-key encryption : confidentiality, authentication and signature CSE 5349/7349

  7. Destination Source M M C | | Compare K K C CK(M) Message Authentication CodeMAC CSE 5349/7349

  8. Source Destination M M C | | E D Compare K1 K2 K2 K1 EK [M||CK (M)] 2 1 CK (M) C 1 Message authentication and confidentiality; authentication tied to plaintext EK [M] 2 M E | | D M C K2 K2 K1 Compare K1 CK (EK [M]) C 1 2 Message authentication and confidentiality; authentication tied to ciphertext MAC (cont’d) CSE 5349/7349

  9. Message Authentication CodeMAC • Cryptographic checksum • Mixes message with (shared) secret key to produce a fixed size block • Assurances: • Message has not been altered • Message is from alleged sender • Message sequence is unaltered (requires internal sequencing) • MAC algorithm need not be reversible CSE 5349/7349

  10. Why Use MACs? • Why not just use encryption? • Clear-text stays clear • MAC might be cheaper • Broadcast • Authentication of executables • Architectural flexibility • Separation of authentication check from message use • Prolong the period of protection CSE 5349/7349

  11. Time = 1 Time = 2 Time = N – 1 Time = N D1 (64 bits) D2 DN – 1 DN + + + DES encrypt DES encrypt DES encrypt DES encrypt • • • K (56 bits) K K K O1 (64 bits) O2 ON – 1 ON DAC (16 to 64 bits) DES-Based MAC CSE 5349/7349

  12. MAC Requirements • Given M and Ck(M), it must be computationally infeasible to construct M’ s.t. Ck(M) = Ck(M’) • For any M and M’, Pr[Ck(M) = Ck(M’)] should be 2-n, where n is the length of the MAC • Let M’ be equal to some known transformation on M. Then, Pr[Ck(M) = Ck(M’)] = 2-n. CSE 5349/7349

  13. Attacks on MACs • Let k = key length, n = MAC length • If k > n • Brute force gives 2(k-n) candidate keys • Second round (new C and M) reduces this to 2(k-2n) candidate keys • On average, this requires k/n rounds CSE 5349/7349

  14. Attacks on MACs • If k  n, one round should suffice • Other attacks are possible, depending on the MAC algorithm • E.g., suppose Ck(M) = DES(k, X1  X2  ... Xm) • Replace Xi by Yi for i < m • Calculate Ym to produce the right checksum • Ym = Y1  Y2  ... Ym-1 X1  X2  ... Xm CSE 5349/7349

  15. One-way Hash Functions • Converts a variable size message M into fixed size hash code H(M) • Can be used with encryption for authentication • E(M || H) • M || E(H) • M || signed H • E( M || signed H ) gives confidentiality • M || H( M || K ) • E( M || H( M || K ) ) CSE 5349/7349

  16. Destination Source M M H | | E D Compare K K EK[M||H(M)] H(M) H (a) H M M | | K Compare K D EK[H(M)] H E (b) Hash (cont’d) CSE 5349/7349

  17. Destination Source H M M | | KU Compare a KR a D EKR [H(M)] a H E (c) M M H | | E D Compare KUa KRa K K EK[M||EKR [H(M)]] a EKR H(M) H E D a (d) Hash (cont’d) CSE 5349/7349

  18. Destination Source M M | | s | | H Compare H(M||S) s | | H (e) M M | | E D s | | H Compare K K EK[M||H(M||S)] s H(M||S) | | H (f) Hash (cont’d) CSE 5349/7349

  19. Hash Function Requirements • H can be applied to any size data block • H produces fixed length output • H is fast • H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x) CSE 5349/7349

  20. Hash Requirements (cont’d) • H is weakly collision resistant: given x, it is computationally infeasible to find any x’ s.t. H(x) = H(x’) • H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y) CSE 5349/7349

  21. Hash Requirements (cont’d) • One-way property is essential for authentication • Weak collision resistance is necessary to prevent forgery • Strong collision resistance is important for resistance to birthday attack CSE 5349/7349

  22. Birthday Attack • Let H have m-bit output. What is the value of k s.t. if H is applied to k random inputs, a duplicate is likely? • Approximately 2m/2 • Comes from the B’day paradox • Given a room with k people, what is the probability that two of them have the same birthday (same month and day, assume no twins, etc) CSE 5349/7349

  23. Birthday Attack (cont’d) • If the adversary can generate 2m/2 variants of a valid message and an equal number of fraudulent messages • The two sets are compared to find one message from each set with a common hash value • The valid message is offered for signature • The fraudulent message with the same hash value is inserted in its place • Moral – length of hash code should be substantial CSE 5349/7349

  24. Security of Hash Functions • Brute force attack on n-bit output to find collisions • One-way and weak collision require O(2n) effort • Strong collision requires O(2n/2) effort CSE 5349/7349

  25. Cryptanalysis of Hash Functions • General model of hash functions • Staged compression function f • L stages, Y0, Y1, …, YL-1 • b input bits, n output bits per stage • initialization value • chaining variable • CV0 = IV • CVi = f(Cvi-1, Yi-1) • H(M = Y0Y1…YL-1) = CVL CSE 5349/7349

  26. Cryptanalysis of Hash Functions • Collision resistance in the compression function results in collision resistance in the iterated hash function • This narrows the problem of finding a collision resistant hash function to that of finding a collision resistant compression function CSE 5349/7349

  27. Hash Algorithms CSE 5349/49

  28. Popular Algorithms CSE 5349/7349

  29. MD5 • Message digest algorithm developed by Ron Rivest • Algorithm takes a message of arbitrary length and produces a 128-bit digest • The resulting digest is the unique “fingerprint” of the original message CSE 5349/7349

  30. Padding • Message is padded so that its length in bits is congruent to 448 modulo 512 • Length of padded message is 64 bits less than an integer multiple of 512 bits • Padding is always added even if the message is the desired length • Padding consists of a single 1 bit followed by 0 bits CSE 5349/7349

  31. Append Length • A 64 bit representation of the length in bits of the original message (before padding) is appended to the result of step 1 • If the original length is greater than 264, only the low-order 64 bits of the length are used • The length of the outcome of the first two steps is multiple of 512 bits CSE 5349/7349

  32. Initialize MD buffer • A 128-bit buffer is used to hold intermediate and final results of the hash function • Buffer can be represented as 4 32-bit registers (A,B,C,D) • As 32 bit strings the init values (in hex): • word A: 01 23 45 67 • word B: 89 AB CD EF • word C: FE DC BA 98 • word D: 76 54 32 10 CSE 5349/7349

  33. HMD5 = 4-round compression function message length Message 100…0 L X 512 bits 512 bits ... ... Block0 Block1 Blockn BlockL-1 512 128 HMD5 HMD5 HMD5 HMD5 MD buffer0 MD bufferL-1 MD buffern MD buffer1 128-bit digest CSE 5349/7349

  34. Message Processing • Message is processed in 512-bit blocks • Each block goes through a 4 round compression function • After all 512-bit blocks have been processed, the output from the compression function is the 128-bit digest CSE 5349/7349

  35. 128 Buffer q Block q B C D 32 A 512 Round 1 Round 2 Round 3 Round 4 + + + + 128 Buffer q +1 CSE 5349/7349

  36. - Each round is 16 steps, this is an ex.of a single step - The order in which a,b,c,d is used produces a circular right shift of one word for each step A B C D + g X[k] + T[i] + CLSs + A B C D CSE 5349/7349

  37. g = primitive function • X[k] = kth 32-bit word in one of the 512 bit blocks • T[i] = 232 x abs(sin(i)) • Round 1 • g(b,c,d) = (b AND c) OR (NOT b AND d) • k = 0...15 • i = 1...16 • Round 2 • g(b,c,d) = (b AND d) OR (c AND NOT d) • k = (1 + 5j)mod 16 where j = 1…16 • i = 17..32 CSE 5349/7349

  38. Round 3 • g(b,c,d) = b XOR c XOR d • k = (5 + 3j)mod 16 where j = 1…16 • i = 33…48 • Round 4 • g(b,c,d) = c XOR (b OR NOT d) • k = 7j mod 16 where j = 1…16 • i = 49…64 CSE 5349/7349

  39. SHA1 & RIPEMD CSE 5349/49

  40. Introduction • Developed by NIST and published as FIP PUB 180 in 1993. • Revised version (SHA-1) issued as FIPS PUB 180-1 in 1995 • The algorithm takes as input a message with a maximum length of less than 264 bits and produces a 160-bit message digest. • The input is processed in 512-bit blocks. CSE 5349/7349

  41. Message Extension • The processing cycle consists of the following steps: • Append padding bits. • Append length. • Initialize MD buffer. • Process the plaintext message in 512 bit blocks. • Output the message digest for the plaintext message. CSE 5349/7349

  42. Message Extension (cont’d) • In SHA-1 padding is always added to the plaintext message regardless of its length. • First append a binary “1”, then as many binary “0”s as needed to make the padded message 64 bits short of a multiple of 512 bits. CSE 5349/7349

  43. Append Length • Finally, a block of 64 bits is appended to the message. • It contains the length of the original plaintext message prior to padding. • This is an unsigned integer with the most significant bit (MSB) first. CSE 5349/7349

  44. Initialize MD Buffer • A 160-bit buffer is used to hold intermediate and final results of the hash function. • It is represented as five 32-bit registers {A, B, C, D, E}. • The initial register value are: • A = 67452301 • B = EFCDAB89 • C = 98BACDFE • D = 10325476 • E = C3D2E1F0 CSE 5349/7349

  45. Message Processing • The core of the algorithm is the HSHA compression function that processes 512-bit blocks. CSE 5349/7349

  46. Message Processing (cont’d) • The compression function consists of four rounds. • Each round consists of 20 processing steps. • The four rounds have a similar structure but each uses a different primitive logical function f1, f2, f3, and f4. CSE 5349/7349

  47. SHA-1Primitive Functions (ft) CSE 5349/7349

  48. SHA-1Truth Table for Function (ft) CSE 5349/7349

  49. SHA-1 Secure Hash Function512-bit Block Processing Function • Each round takes as an input the current 512-bit block being processed Yq and the 160-bit buffer value {ABCDE} and updates the contents of the buffer. • Each round makes use of an additive constant Kt, where 0 ≤ t ≤ 79 indicates one of 80 processing steps across four rounds. CSE 5349/7349

  50. Additive Constants • The value for these in hex are: • For 0 ≤ t ≤ 19 • Kt = 5A827999 • For 20 ≤ t ≤ 39 • Kt = 6ED9EBA1 • For 40 ≤ t ≤ 59 • Kt = 8F1BBCDC • For 60 ≤ t ≤ 79 • Kt = CA62C1D6 CSE 5349/7349

More Related