Upload
kaori
View
183
Download
18
Embed Size (px)
DESCRIPTION
Message Authentication and Hash Functions. Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of Hash Functions and MACs. Authentication Requirements. Kind of attacks (threats) in the context of communications across a network - PowerPoint PPT Presentation
Citation preview
1
Message Authentication and Hash Functions
Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of Hash Functions and MACs
2
Authentication Requirements Kind of attacks (threats) in the context of
communications across a network1. Disclosure2. Traffic analysis3. Masquerade4. Content modification5. Sequence modification6. Timing modification7. Repudiation
Measures to deal with first two attacks: In the realm of message confidentiality, and are addressed with
encryption Measures to deal with items 3 thru 6
Message authentication Measures to deal with items 7
Digital signature
3
Message authentication A procedure to verify that messages come from the
alleged source and have not been altered Message authentication may also verify sequencing and
timeliness Digital signature
An authentication technique that also includes measures to counter repudiation by either source or destination
Authentication Requirements
4
Authentication Functions
Message authentication or digital signature mechanism can be viewed as having two levels At lower level: there must be some sort of functions producing
an authenticator – a value to be used to authenticate a message
This lower level functions is used as primitive in a higher level authentication protocol
Authentication Functions
5
Authentication Functions Three classes of functions that may be used to produce
an authenticator Message encryption
Ciphertext itself serves as authenticator Message authentication code (MAC)
A public function of the message and a secret key that produces a fixed-length value that serves as the authenticator
Hash function A public function that maps a message of any length into a
fixed-length hash value, which serves as the authenticator
Authentication Functions
6
Message Encryption
Conventional encryption can serve as authenticator Conventional encryption provides authentication as
well as confidentiality Requires recognizable plaintext or other structure to
distinguish between well-formed legitimate plaintext and meaningless random bits
e.g., ASCII text, an appended checksum, or use of layered protocols
Authentication Functions
7
Basic Uses of Message Encryption
Authentication Functions
8
Ways of Providing Structure• Append an error-detecting code (frame check
sequence (FCS)) to each message
Authentication Functions
9
Ways of Providing Structure - 2• Suppose all the datagrams except the IP header is
encrypted.• If an opponent substituted some arbitrary bit pattern for
the encrypted TCP segment, the resulting plaintext would not include a meaningful header
Authentication Functions
10
Confidentiality and Authentication Implications of Message Encryption
Authentication Functions
11
Message Authentication Code Uses a shared secret key to generate a fixed-size block
of data (known as a cryptographic checksum or MAC) that is appended to the message
MAC = CK(M) Assurances:
Message has not been altered Message is from alleged sender Message sequence is unaltered (requires internal
sequencing) Similar to encryption but MAC algorithm needs not be
reversible
Authentication Functions
12
Basic Uses of MAC
Authentication Functions
13
Basic Uses of MAC
Authentication Functions
14
Why Use MACs? i.e., why not just use encryption?
Cleartext stays clear MAC might be cheaper Broadcast Authentication of executable codes Architectural flexibility Separation of authentication check from
message use
Authentication Functions
15
Hash Function Converts a variable size message M into fixed size
hash code H(M) (Sometimes called a message digest) Can be used with encryption for authentication
E(M || H) M || E(H) M || signed H E( M || signed H ) gives confidentiality M || H( M || K ) E( M || H( M || K ) )
Authentication Functions
16
Authentication Functions
Basic Uses of Hash Function
17
Authentication Functions
Basic Uses of Hash Function
18
Authentication Functions
Basic Uses of Hash Function
19
Message Authentication Codes
MAC= CK(M)
Key length requirements Sufficient key length to thwart brute force attack
MACs
20
Hash Functions h = H(M) M is a variable-length message, h is a fixed-
length hash value, H is a hash function The hash value is appended at the source The receiver authenticates the message by
recomputing the hash value Because the hash function itself is not considered
to be secret, some means is required to protect the hash value
Hash Functions
21
Hash Function Requirements1. H can be applied to any size data block2. H produces fixed-length output3. H(x) is relatively easy to compute for any given x4. H is one-way, i.e., given h, it is computationally
infeasible to find any x s.t. h = H(x)5. H is weakly collision resistant: given x, it is
computationally infeasible to find any y x s.t. H(x) = H(y)
6. H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y)
Hash Functions
22
Hash Function Requirements
One-way property is essential for authentication
Weak collision resistance is necessary to prevent forgery
Strong collision resistance is important for resistance to birthday attack
Hash Functions
23
Simple Hash Functions Operation of hash functions
The input is viewed as a sequence of n-bit blocks The input is processed one block at a time in an iterative fashion
to produce an n-bit hash function Simplest hash function: Bitwise XOR of every block
Ci = bi1 bi2 … bim
Ci = i-th bit of the hash code, 1 i n m = number of n-bit blocks in the input bij = i-th bit in j-th block
Known as longitudinal redundancy check
Hash Functions
24
Simple Hash Functions
Hash Functions
• Improvement over the simple bitwise XOR
– Initially set the n-bit hash value to zero– Process each successive n-bit block of data as
follows» Rotate the current hash value to the left by
one bit» XOR the block into the hash value
25
Birthday Attack If the adversary can generate 2m/2 variants of a valid
message and an equal number of fraudulent messages The two sets are compared to find one message from
each set with a common hash value The valid message is offered for signature The fraudulent message with the same hash value is
inserted in its place
If a 64-bit hash code is used, the level of effort is only on the order of 232
Conclusion: the length of the hash code must be substantial
Birthday Attack
26
Generating 2m/2 Variants of Valid Messages
Birthday Attack
• Insert a number of “space-backspace-space” character pairs between words throughout the document. Variations could then be generated by substituting “space-backspace-space” in selected instances
• Alternatively, simply reword the message but retain the meaning
27
Brute-Force Attack of Hash Functions Three desirable properties of hash functions
One-way: For any given code h, it is computationally infeasible to find x s.t. H(x) = h
Weak collision resistance: For any given block x, it is computationally infeasible to find y x s.t. H(y) = H(x)
Strong collision resistance: It is computationally infeasible to find any pair (x, y) s.t. H(y) = H(x)
Brute-force attack on n-bit hash code One-way and weak collision require 2n effort Strong collision requires 2n/2 effort If strong collision resistance is required (and this is desirable
for a general-purpose secure hash code), 2n/2 determines the strength of hash code against brute-force attack
Currently, two most popular hash codes, SHA-1 and RIPEMD-160, provide a 160-bit hash code length
Security of Hash Functions and MACs