Upload
yamsani-santhosh
View
227
Download
0
Embed Size (px)
Citation preview
8/4/2019 06 UTC Authentication
1/27
1
Message Authentication and HashFunctions
Authentication Requirements Authentication Functions
Message Authentication Codes
Hash Functions
Security of Hash Functions and
MACs
8/4/2019 06 UTC Authentication
2/27
2
Authentication Requirements Kind of attacks (threats) in the context ofcommunications across a network
1. Disclosure
2. Traffic analysis
3. Masquerade
4. Content modification
5. Sequence modification
6. Timing modification
7. Repudiation
Measures to deal with first two attacks: In the realm of message confidentiality, and are addressed with
encryption Measures to deal with items 3 thru 6
Message authentication
Measures to deal with items 7 Digital signature
8/4/2019 06 UTC Authentication
3/27
3
Message authentication
A procedure to verify that messages come from
the alleged source and have not been altered
Message authentication may also verify
sequencing and timeliness
Digital signature
An authentication technique that also includes
measures to counter repudiation by either source
or destination
Authentication Requirements
8/4/2019 06 UTC Authentication
4/27
4
Authentication Functions
Message authentication or digital signature mechanismcan be viewed as having two levels At lower level: there must be some sort of functions producing
an authenticator a value to be used to authenticate a
message This lower level functions is used as primitive in a higher levelauthentication protocol
Authentication Functions
8/4/2019 06 UTC Authentication
5/27
5
Authentication Functions Three classes of functions that may be used to produce
an authenticator
Message encryption Ciphertext itself serves as authenticator
Message authentication code (MAC)
A public function of the message and a secret key thatproduces a fixed-length value that serves as theauthenticator
Hash function A public function that maps a message of any length into a
fixed-length hash value, which serves as the authenticator
Authentication Functions
8/4/2019 06 UTC Authentication
6/27
6
Message Encryption
Conventional encryption can serve as
authenticator
Conventional encryption provides authentication as
well as confidentiality Requires recognizable plaintext or otherstructure to
distinguish between well-formed legitimate plaintext
and meaningless random bits
e.g., ASCII text, an appended checksum, or use of layered
protocols
Authentication Functions
8/4/2019 06 UTC Authentication
7/27
7
Basic Uses of Message Encryption
Authentication Functions
8/4/2019 06 UTC Authentication
8/27
8
Ways of Providing Structure Append an error-detecting code (frame check
sequence (FCS)) to each message
Authentication Functions
8/4/2019 06 UTC Authentication
9/27
9
Ways of Providing Structure - 2 Suppose all the datagrams except the IP header is
encrypted.
If an opponent substituted some arbitrary bit pattern forthe encrypted TCP segment, the resulting plaintextwould not include a meaningful header
Authentication Functions
8/4/2019 06 UTC Authentication
10/27
10
Confidentiality and Authentication Implicationsof Message Encryption
Authentication Functions
8/4/2019 06 UTC Authentication
11/27
11
Message Authentication Code
Uses a shared secret key to generate a fixed-size block of data (known as a cryptographic
checksum or MAC) that is appended to the
message
MAC = CK(M)
Assurances:
Message has not been altered
Message is from alleged sender Message sequence is unaltered (requires internal
sequencing)
Similar to encryption but MAC algorithm needs
not be reversible
Authentication Functions
8/4/2019 06 UTC Authentication
12/27
12
Basic Uses of MAC
Authentication Functions
8/4/2019 06 UTC Authentication
13/27
13
Basic Uses of MAC
Authentication Functions
8/4/2019 06 UTC Authentication
14/27
14
Why Use MACs?
i.e., why not just use encryption?
Cleartext stays clear
MAC might be cheaper
Broadcast Authentication of executable codes
Architectural flexibility
Separation of authentication check from
message use
Authentication Functions
8/4/2019 06 UTC Authentication
15/27
15
Hash Function
Converts a variable size message M intofixed size hash code H(M) (Sometimes called
a message digest)
Can be used with encryption forauthentication
E(M || H)
M || E(H)
M || signed H E( M || signed H ) gives confidentiality
M || H( M || K )
E( M || H( M || K ) )
Authentication Functions
8/4/2019 06 UTC Authentication
16/27
16
Authentication Functions
Basic Uses of Hash Function
8/4/2019 06 UTC Authentication
17/27
17
Authentication Functions
Basic Uses of Hash Function
8/4/2019 06 UTC Authentication
18/27
18
Authentication Functions
Basic Uses of Hash Function
8/4/2019 06 UTC Authentication
19/27
19
Message Authentication Codes
MAC= CK(M)
Key length requirements
Sufficient key length to thwart brute force attack
MACs
8/4/2019 06 UTC Authentication
20/27
20
Hash Functions
h = H(M)
M is a variable-length message, h is a fixed-
length hash value, H is a hash function
The hash value is appended at the source The receiver authenticates the message by
recomputing the hash value
Because the hash function itself is not
considered to be secret, some means is
required to protect the hash value
Hash Functions
8/4/2019 06 UTC Authentication
21/27
21
Hash Function Requirements
1. H can be applied to any size data block
2. H produces fixed-length output
3. H(x) is relatively easy to compute for any given x
4. H is one-way, i.e., given h, it is computationally
infeasible to find any x s.t. h = H(x)
5. H is weakly collision resistant: given x, it is
computationally infeasible to find any y { x s.t. H(x)
= H(y)
6. H is strongly collision resistant: it is computationallyinfeasible to find any x and y s.t. H(x) = H(y)
Hash Functions
8/4/2019 06 UTC Authentication
22/27
22
Hash Function Requirements
One-way property is essential for
authentication Weak collision resistance is necessary to
prevent forgery
Strong collision resistance is important for
resistance to birthday attack
Hash Functions
8/4/2019 06 UTC Authentication
23/27
23
Simple Hash Functions O
peration of hash functions The input is viewed as a sequence of n-bit blocks
The input is processed one block at a time in an iterative fashion
to produce an n-bit hash function
Simplest hash function: Bitwise XOR of every block
Ci = bi1 bi2 bim Ci = i-th bit of the hash code, 1 e i e n
m = number of n-bit blocks in the input
bij = i-th bit in j-th block
Known as longitudinal redundancy check
Hash Functions
8/4/2019 06 UTC Authentication
24/27
24
Simple Hash Functions
Hash Functions
Improvement over the simplebitwise XOR Initially set the n-bit hash value to zero
Process each successive n-bit block of data asfollows
Rotate the current hash value to the left byone bit
XOR the block into the hash value
8/4/2019 06 UTC Authentication
25/27
25
Birthday Attack
If the adversary can generate 2m/2 variants of a validmessage and an equal number of fraudulent
messages
The two sets are compared to find one message from
each set with a common hash value The valid message is offered for signature
The fraudulent message with the same hash value is
inserted in its place
If a 64-bit hash code is used, the level of effort is only
on the order of 232
Conclusion: the length of the hash code must be
substantial
Birthday Attack
8/4/2019 06 UTC Authentication
26/27
26
Generating 2m/2 Variants of Valid Messages
Birthday Attack
Insert a number ofspace-backspace-spacecharacter pairs betweenwords throughout thedocument.
Variations could then begenerated by substitutingspace-backspace-spacein selected instances
Alternatively, simply
rewordthe message butretain the meaning
8/4/2019 06 UTC Authentication
27/27
27
Brute-Force Attack of Hash Functions Three desirable properties of hash functions
One-way: For any given code h, it is computationally infeasible to
find x s.t. H(x) = h
Weak collision resistance: For any given block x, it is
computationally infeasible to find y { x s.t. H(y) = H(x)
Strong collision resistance: It is computationally infeasible to find
any pair (x, y) s.t. H(y) = H(x)
Brute-force attack on n-bit hash code
One-way and weak collision require 2n effort
Strong collision requires 2n/2 effort
@ If strong collision resistance is required (and this is desirablefor a general-purpose secure hash code), 2n/2 determines the
strength of hash code against brute-force attack
Currently, two most popular hash codes, SHA-1 and RIPEMD-
160, provide a 160-bit hash code length
Security ofHash Functions andMACs