06 UTC Authentication

8/4/2019 06 UTC Authentication

1/27

1

Message Authentication and HashFunctions

Authentication Requirements Authentication Functions

Message Authentication Codes

Hash Functions

Security of Hash Functions and

MACs


2/27

2

Authentication Requirements Kind of attacks (threats) in the context ofcommunications across a network

1. Disclosure

2. Traffic analysis

3. Masquerade

4. Content modification

5. Sequence modification

6. Timing modification

7. Repudiation

Measures to deal with first two attacks: In the realm of message confidentiality, and are addressed with

encryption Measures to deal with items 3 thru 6

Message authentication

Measures to deal with items 7 Digital signature


3/27

3

Message authentication

A procedure to verify that messages come from

the alleged source and have not been altered

Message authentication may also verify

sequencing and timeliness

Digital signature

An authentication technique that also includes

measures to counter repudiation by either source

or destination

Authentication Requirements


4/27

4

Authentication Functions

Message authentication or digital signature mechanismcan be viewed as having two levels At lower level: there must be some sort of functions producing

an authenticator a value to be used to authenticate a

message This lower level functions is used as primitive in a higher levelauthentication protocol



5/27

5

Authentication Functions Three classes of functions that may be used to produce

an authenticator

Message encryption Ciphertext itself serves as authenticator

Message authentication code (MAC)

A public function of the message and a secret key thatproduces a fixed-length value that serves as theauthenticator

Hash function A public function that maps a message of any length into a

fixed-length hash value, which serves as the authenticator



6/27

6

Message Encryption

Conventional encryption can serve as

authenticator

Conventional encryption provides authentication as

well as confidentiality Requires recognizable plaintext or otherstructure to

distinguish between well-formed legitimate plaintext

and meaningless random bits

e.g., ASCII text, an appended checksum, or use of layered

protocols



7/27

7

Basic Uses of Message Encryption



8/27

8

Ways of Providing Structure Append an error-detecting code (frame check

sequence (FCS)) to each message



9/27

9

Ways of Providing Structure - 2 Suppose all the datagrams except the IP header is

encrypted.

If an opponent substituted some arbitrary bit pattern forthe encrypted TCP segment, the resulting plaintextwould not include a meaningful header



10/27

10

Confidentiality and Authentication Implicationsof Message Encryption



11/27

11

Message Authentication Code

Uses a shared secret key to generate a fixed-size block of data (known as a cryptographic

checksum or MAC) that is appended to the

message

MAC = CK(M)

Assurances:

Message has not been altered

Message is from alleged sender Message sequence is unaltered (requires internal

sequencing)

Similar to encryption but MAC algorithm needs

not be reversible



12/27

12

Basic Uses of MAC



13/27

13

Basic Uses of MAC



14/27

14

Why Use MACs?

i.e., why not just use encryption?

Cleartext stays clear

MAC might be cheaper

Broadcast Authentication of executable codes

Architectural flexibility

Separation of authentication check from

message use



15/27

15

Hash Function

Converts a variable size message M intofixed size hash code H(M) (Sometimes called

a message digest)

Can be used with encryption forauthentication

E(M || H)

M || E(H)

M || signed H E( M || signed H ) gives confidentiality

M || H( M || K )

E( M || H( M || K ) )



16/27

16


Basic Uses of Hash Function


17/27

17




18/27

18




19/27

19

Message Authentication Codes

MAC= CK(M)

Key length requirements

Sufficient key length to thwart brute force attack

MACs


20/27

20

Hash Functions

h = H(M)

M is a variable-length message, h is a fixed-

length hash value, H is a hash function

The hash value is appended at the source The receiver authenticates the message by

recomputing the hash value

Because the hash function itself is not

considered to be secret, some means is

required to protect the hash value

Hash Functions


21/27

21

Hash Function Requirements

1. H can be applied to any size data block

2. H produces fixed-length output

3. H(x) is relatively easy to compute for any given x

4. H is one-way, i.e., given h, it is computationally

infeasible to find any x s.t. h = H(x)

5. H is weakly collision resistant: given x, it is

computationally infeasible to find any y { x s.t. H(x)

= H(y)

6. H is strongly collision resistant: it is computationallyinfeasible to find any x and y s.t. H(x) = H(y)

Hash Functions


22/27

22

Hash Function Requirements

One-way property is essential for

authentication Weak collision resistance is necessary to

prevent forgery

Strong collision resistance is important for

resistance to birthday attack

Hash Functions


23/27

23

Simple Hash Functions O

peration of hash functions The input is viewed as a sequence of n-bit blocks

The input is processed one block at a time in an iterative fashion

to produce an n-bit hash function

Simplest hash function: Bitwise XOR of every block

Ci = bi1 bi2 bim Ci = i-th bit of the hash code, 1 e i e n

m = number of n-bit blocks in the input

bij = i-th bit in j-th block

Known as longitudinal redundancy check

Hash Functions


24/27

24

Simple Hash Functions

Hash Functions

Improvement over the simplebitwise XOR Initially set the n-bit hash value to zero

Process each successive n-bit block of data asfollows

Rotate the current hash value to the left byone bit

XOR the block into the hash value


25/27

25

Birthday Attack

If the adversary can generate 2m/2 variants of a validmessage and an equal number of fraudulent

messages

The two sets are compared to find one message from

each set with a common hash value The valid message is offered for signature

The fraudulent message with the same hash value is

inserted in its place

If a 64-bit hash code is used, the level of effort is only

on the order of 232

Conclusion: the length of the hash code must be

substantial

Birthday Attack


26/27

26

Generating 2m/2 Variants of Valid Messages

Birthday Attack

Insert a number ofspace-backspace-spacecharacter pairs betweenwords throughout thedocument.

Variations could then begenerated by substitutingspace-backspace-spacein selected instances

Alternatively, simply

rewordthe message butretain the meaning


27/27

27

Brute-Force Attack of Hash Functions Three desirable properties of hash functions

One-way: For any given code h, it is computationally infeasible to

find x s.t. H(x) = h

Weak collision resistance: For any given block x, it is

computationally infeasible to find y { x s.t. H(y) = H(x)

Strong collision resistance: It is computationally infeasible to find

any pair (x, y) s.t. H(y) = H(x)

Brute-force attack on n-bit hash code

One-way and weak collision require 2n effort

Strong collision requires 2n/2 effort

@ If strong collision resistance is required (and this is desirablefor a general-purpose secure hash code), 2n/2 determines the

strength of hash code against brute-force attack

Currently, two most popular hash codes, SHA-1 and RIPEMD-

160, provide a 160-bit hash code length

Security ofHash Functions andMACs

Documents

06 UTC Authentication