1 / 34

Message Authentication Codes and Hash Functions

Message Authentication Codes and Hash Functions. Dr. Ayad Ibrahim. Message Authentication. Message authentication is concerned with Protecting the integrity of a message Validating identity of originator Three Methods to provide message authentication Encryption

ruffj
Télécharger la présentation

Message Authentication Codes and Hash Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Message AuthenticationCodes and Hash Functions Dr. Ayad Ibrahim

  2. Message Authentication • Message authentication is concerned with • Protecting the integrity of a message • Validating identity of originator • Three Methods to provide message authentication • Encryption • Message authentication code (MAC) • Hash function

  3. Providing Authentication by Symmetric Encryption • Receiver knows sender must have created it because only sender and receiver know secret key

  4. Providing Authentication by Asymmetric Encryption • Encryption provides no confidence of sender because anyone potentially knows public key • However if sender signs message using its private key and then encrypts with receiver’s public key, we have both confidentiality and authentication

  5. Providing Authentication by Asymmetric Encryption

  6. Message Authentication Code (MAC) • Generated by an algorithm that creates a small fixed-sized block • depending on both messageand some key • Appended to message as a signature • Receiver performs same computation on message and checks it matches the MAC

  7. Uses of MAC

  8. MAC Properties • Cryptographic checksum MAC = CK(M) • condenses a variable-length message M • using a secret key K • to a fixed-sized authenticator • Many-to-one function • potentially many messages have same MAC • make sure finding collisionsis very difficult

  9. Requirements for MACs • Need the MAC to satisfy the following: “knowing a message and MAC, it is infeasible to find another message with same MAC”.

  10. Using Symmetric Ciphers for MAC • Can use any block cipher chaining mode and use final block as a MAC • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC • using IV=0 and zero-pad of final block • encrypt message using DES in CBC mode • and send just the final block as the MAC • But final MAC is now too small for security

  11. Hash Functions • Condense arbitrary message to fixed size • Usually assume that the hash function is public and not keyed • Hash value used to detect changes to message • Used often to create a digital signature

  12. Uses of Hash Functions

  13. Uses of Hash Functions

  14. Hash Function Properties • Hash function produces a fingerprintof some file/message/data h = H(M)

  15. Requirements for Hash Functions • can be applied to any sized message M • produce fixed-length output h • easy to compute h=H(M) for any message M • one-way property:given h is infeasible to find x s.t. H(x)=h • weak collision resistance: given x is infeasible to find y s.t. H(y)=H(x) • strong collision resistance: infeasible to find any x,y s.t. H(y)=H(x)

  16. Simple Hash Functions • We can use XOR of message blocks • Not secure since can manipulate any message and either not change hash or change hash also • Need a stronger cryptographic function

  17. Block Ciphers as Hash Functions • Can use block ciphers as hash functions • use H0=0 and zero-pad of final block • compute Hi = EMi [Hi-1] • use final block as the hash value • similar to CBC but without a key • Resulting hash is too small (64-bit) • both due to direct birthday attack

  18. Birthday Attacks • If there are 23 people in a room, the probability that at least two people have the same birthday is slightly more than 50%. • If there are 30, the probability is around 70%. • Finding collisions of a hash function using Birthday Paradox. • randomly chooses k messages, x1, x2, …, xk • search if there is a pair of messages, say xi and xj such that h(xi) = h(xj). If so, one collision is found. • This birthday attack imposes a lower bound on the size of message digests. • If n = 64, the probability of finding one collision will be higher than half after slightly more than 232 random hashes being tried.

  19. Birthday Attacks • The probability that all 23 people have different birthdays is • Therefore, the probability of at least two having the same birthday is 1- 0.493=0.507 • More generally, suppose we have N objects, where N is large. There are r people, and each chooses an object. Then

  20. MD5 • Designed by Ronald Rivest (the R in RSA) • Latest in a series of MD2, MD4 • Produce a hash value of 128 bits (16 bytes) • Until recently was the most widely used hash algorithm • in recent times have both brute-force and cryptanalytic concerns

  21. MD5 Overview • Pad message so its length is 448 mod 512 • Append a 64-bit length value to message • Initialize 4-word (128-bit) MD buffer (A,B,C,D) • Process message in 16-word (512-bit) blocks: • use 4 rounds of 16 bit operations on message block & buffer • add output to buffer input to form new buffer value • output hash value is the final buffer value

  22. MD5 Processing

  23. MD5 Processing of 512-bit Block

  24. MD5 Compression Function • Each round has 16 steps of the form: b <- ((a+g(b,c,d)+X[k]+T[i])<<<s) • a,b,c,d refer to the 4 words of the buffer, but used in varying permutations • note each step updates only 1 word of the buffer • after 16 steps each word is updated 4 times • g(b,c,d) is a different nonlinear function in each round (F,G,H,I) • T[i] is a constant value derived from sine

  25. MD5 Compression Function

  26. Secure Hash Algorithm (SHA-1) • Designed by NIST & NSA in 1993, revised 1995 as SHA-1 • US standard for use with DSA signature scheme • Produce hash values of 160 bits (20 bytes) • Now the generally preferred hash algorithm

  27. SHA-1 Overview • pad message so its length is 448 mod 512 • append a 64-bit length value to message • initialize 5-word (160-bit) buffer (A,B,C,D,E) to (67452301,efcdab89,98badcfe,10325476,c3d2e1f0) • process message in 16-word (512-bit) chunks: • expand 16 words into 80 words by mixing & shifting • use 4 rounds of 20 bit operations on message block & buffer • add output to input to form new buffer value • output hash value is the final buffer value

  28. SHA-1 Compression Function • Each round has 20 steps which replaces the 5 buffer words thus: (A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D) • a,b,c,d refer to the 4 words of the buffer • t is the step number • f(t,B,C,D) is nonlinear function for round • Wtis derived from the message block • Kt is a constant value derived from sine

  29. SHA-1 Compression Function

  30. SHA-1 vs MD5 • Brute force attack is harder (160 vs 128 bits for MD5) • Not vulnerable to any known attacks (compared to MD4 and MD5) • A little slower than MD5 (80 vs 64 steps) • Both designed as simple and compact

  31. Keyed Hash Functions as MACs • Desirable to create a MAC using a hash function rather than a block cipher • hash functions are generally faster • Hash includes a key along with the message • Original proposal: KeyedHash = Hash(Key|Message) • some weaknesses were found with this proposal • Eventually led to development of HMAC

  32. HMAC • Use hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] • K+ is the key padded out to size • opad, ipad are specified padding constants • Overhead is just 3 more hash calculations than the message alone needs • Any of MD5, SHA-1, can be used

  33. HMAC Structure

  34. Security of HMAC • Security of HMAC relates to that of the underlying hash algorithm • Attacking HMAC requires either: • brute force attack on key used • birthday attack (but since keyed would need to observe a very large number of messages)

More Related