Upload
eleanore-charity-malone
View
214
Download
0
Embed Size (px)
Citation preview
Message Message Authentication and Authentication and
Hash FunctionsHash Functions
K. U. KhimaniK. U. Khimani
Asst. Prof.Asst. Prof.
IT Dept.IT Dept.
VVP Engineering CollegeVVP Engineering College
What is Authentication?What is Authentication?
In the context of computer systems, authentication is a process that ensures and confirms a user’s identity.
For example, ID-Password combination, biometrics(retina, fingerprints…), etc.
MessageMessage AuthenticationAuthentication
Message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution)*
Will consider the Security Requirements
Then three alternative functions used: Message Encryption Message Authentication Code (MAC) Hash Function
Message Security RequirementsMessage Security Requirements
disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination repudiation
In summary, message authentication is a procedure to verify that In summary, message authentication is a procedure to verify that received messages come from the alleged source and have not received messages come from the alleged source and have not been altered. Message authentication may also verify sequencing been altered. Message authentication may also verify sequencing
and timelinessand timeliness. .
Symmetric Message EncryptionSymmetric Message Encryption
Encryption can also provide Authentication. If symmetric encryption is used then:
receiver know sender must have created it since only sender and receiver now key used know content cannot of been altered
if message has suitable structure, redundancy or a checksum to detect any changes.
Public-Key Message EncryptionPublic-Key Message Encryption
If public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key however if sender signs message using their private-key,
then encrypts with recipients public key have both secrecy and authentication.
The disadvantage of this approach is that, the public key algorithm, which is complex, must be exercised four times rather than two in each communication.
Message Authentication Code Message Authentication Code (MAC)(MAC)
generated by an algorithm that creates a small fixed-sized block
depends on both message and some key
appended to message as a signature
receiver performs same computation on message and checks it matches the MAC
provides assurance that message is unaltered and comes from sender
MACMAC A small fixed-sized block of data
generated from message + secret key
MAC = C(K,M) M = input message C = MAC function K = shared secret key
appended to message when sent
MACMAC
as shown the MAC provides authenticationas shown the MAC provides authentication
can also use encryption for secrecycan also use encryption for secrecy generally use separate keys for eachgenerally use separate keys for each can compute MAC either before or after encryptioncan compute MAC either before or after encryption is generally regarded as better done beforeis generally regarded as better done before
why use a MAC?why use a MAC? sometimes only authentication is neededsometimes only authentication is needed
note that a MAC is not a digital signaturenote that a MAC is not a digital signature
Why MAC?Why MAC? Symmetric Encryption provides authentication and Symmetric Encryption provides authentication and
because it is widely used with readily available products, because it is widely used with readily available products, why not simply use this instead of a separate MAC?why not simply use this instead of a separate MAC?
We will discuss situations in which a message We will discuss situations in which a message authentication code is used.authentication code is used.
Why MAC?Why MAC?(1)(1)
There are a number of applications in which the same There are a number of applications in which the same message is broadcast to a number of destinations.message is broadcast to a number of destinations.E.g. notifications to users that the network is now E.g. notifications to users that the network is now unavailable or an alarm signal in a military control centre.unavailable or an alarm signal in a military control centre.It is cheaper and more reliable to have only one It is cheaper and more reliable to have only one destination responsible for monitoring authenticity.destination responsible for monitoring authenticity.Thus, the message must be broadcast in plaintext with an Thus, the message must be broadcast in plaintext with an associated MAC.associated MAC.The responsible system has the secret key and performs The responsible system has the secret key and performs authentication. If violation occurs, the other destination authentication. If violation occurs, the other destination systems are alerted by general alarm.systems are alerted by general alarm.
Why MAC?Why MAC?(2)(2)
Another possible scenario is an exchange in which one Another possible scenario is an exchange in which one side has a heavy load and cannot afford the time to decrypt side has a heavy load and cannot afford the time to decrypt all incoming messages.all incoming messages.Authentication is carried out on a selective basis, Authentication is carried out on a selective basis, message being chosen at random for checking.message being chosen at random for checking.
Why MAC?Why MAC?(3)(3)
Authentication of a computer program in plaintext as an Authentication of a computer program in plaintext as an attractive service.attractive service.The computer program can be executed without having to The computer program can be executed without having to decrypt it every time, which would be wasteful of processor decrypt it every time, which would be wasteful of processor resources.resources.However, if a MAC were attached to the program, it could However, if a MAC were attached to the program, it could be checked whenever assurance was required of the be checked whenever assurance was required of the integrity of the program.integrity of the program.
MACMAC
a MAC is a cryptographic checksuma MAC is a cryptographic checksum
MAC = CMAC = CKK(M)(M) condenses a variable-length message Mcondenses a variable-length message M using a secret key Kusing a secret key K to a fixed-sized authenticatorto a fixed-sized authenticator
is a many-to-one functionis a many-to-one function potentially many messages have same MACpotentially many messages have same MAC but finding these needs to be very difficultbut finding these needs to be very difficult
Requirements for MACsRequirements for MACs
taking into account the types of attacks, need the MAC taking into account the types of attacks, need the MAC to satisfy the following:to satisfy the following:
1.1. knowing a message and MAC, is infeasible to find knowing a message and MAC, is infeasible to find another message with same MACanother message with same MAC
2.2. MACs should be uniformly distributed in the sense MACs should be uniformly distributed in the sense that, for two randomly chosen messages, probability that, for two randomly chosen messages, probability that C(K,M) = C(K,M’) is 2^-n, where n is the that C(K,M) = C(K,M’) is 2^-n, where n is the number of bits in MAC.number of bits in MAC.
3.3. MAC should depend equally on all bits of the MAC should depend equally on all bits of the messagemessage
Using Symmetric Ciphers for Using Symmetric Ciphers for MACsMACs
can use any block cipher chaining mode and use final can use any block cipher chaining mode and use final block as a MACblock as a MAC
Data Authentication Algorithm (DAA)Data Authentication Algorithm (DAA) is a widely used is a widely used MAC based on DES-CBCMAC based on DES-CBC using IV=0 and zero-pad of final blockusing IV=0 and zero-pad of final block encrypt message using DES in CBC modeencrypt message using DES in CBC mode and send just the final block as the MACand send just the final block as the MAC
• or the leftmost M bits (16or the leftmost M bits (16≤M≤64) of final block≤M≤64) of final block
but final MAC is now too small for securitybut final MAC is now too small for security
Data Authentication AlgorithmData Authentication Algorithm
Hash FunctionsHash Functions
A hash value h is generated by a function H of the form h A hash value h is generated by a function H of the form h = H(M)= H(M)
where M is a variable-length message and H(M) where M is a variable-length message and H(M) is a fixed-length hash value.is a fixed-length hash value.
The hash value is appended to the message at the The hash value is appended to the message at the source. The receiver authenticates that message by source. The receiver authenticates that message by recomputing the hash value.recomputing the hash value.
Requirements of a Hash FunctionRequirements of a Hash Function
H can be applied to a block of data of any size.H can be applied to a block of data of any size. H produces a fixed-length output.H produces a fixed-length output. H(x) is relatively easy to compute for any given xH(x) is relatively easy to compute for any given x For any h, it is computationally infeasible to find x such For any h, it is computationally infeasible to find x such
that H(x) = h. It is One-way Property.that H(x) = h. It is One-way Property. For any given block x, it is computationally infeasible to For any given block x, it is computationally infeasible to
find y ≠ x such that H(y) = H(x). It is called Weak find y ≠ x such that H(y) = H(x). It is called Weak Collision Resistance.Collision Resistance.
It is computationally infeasible to find any It is computationally infeasible to find any xx and and yy, with , with x x y y such that such that H(x) = H(y). It is called Strong H(x) = H(y). It is called Strong Collision Resistance.Collision Resistance.
Basic uses of Hash FunctionBasic uses of Hash Function
Confidentiality and Authentication
Authentication
Authentication, Digital Signature
Basic uses of Hash FunctionBasic uses of Hash Function
Authentication, DS, Confidentiality
Authentication (No encryption needed)
Authentication, Confidentiality
Simple Hash FunctionSimple Hash Function
Security of MACs and HashSecurity of MACs and Hash
Just as with symmetric and public-key encryption, we Just as with symmetric and public-key encryption, we can group attacks on hash functions and MACs into two can group attacks on hash functions and MACs into two categories: brute-force attacks and cryptanalysis.categories: brute-force attacks and cryptanalysis.
brute-forcebrute-force attacks exploiting attacks exploiting strong collision resistance hash have cost 2strong collision resistance hash have cost 2
mm//22
• 128-bit hash looks vulnerable, 160-bits better128-bit hash looks vulnerable, 160-bits better MACs with known message-MAC pairsMACs with known message-MAC pairs
• can either attack key space (cf key search) or MACcan either attack key space (cf key search) or MAC• at least 128-bit MAC is needed for securityat least 128-bit MAC is needed for security
Security of MACs and HashSecurity of MACs and Hash
A brute-force attack on a MAC is a more difficult A brute-force attack on a MAC is a more difficult undertaking than a brute-force attack on a hash function undertaking than a brute-force attack on a hash function because it requires known message-MAC pairs.because it requires known message-MAC pairs.
A brute-force attack on MAC has cost related to A brute-force attack on MAC has cost related to min(2^k,2^n), similar to symmetric encryption algorithms. min(2^k,2^n), similar to symmetric encryption algorithms. It is required that min (k, n) >= N, where N is perhaps in It is required that min (k, n) >= N, where N is perhaps in the range of 128 bits.the range of 128 bits.
Security of MACs and HashSecurity of MACs and Hash cryptanalytic attackscryptanalytic attacks exploit internal structure of f and exploit internal structure of f and
is based on attempts to find efficient techniques for is based on attempts to find efficient techniques for producing collision for a single execution of f.producing collision for a single execution of f.
Once that is done, the attack must take into account the Once that is done, the attack must take into account the fixed value of IV.fixed value of IV. like block ciphers want brute-force attacks to be the like block ciphers want brute-force attacks to be the
best alternativebest alternative
more variety of MACs so harder to generalize about more variety of MACs so harder to generalize about cryptanalysis. cryptanalysis.
Keyed Hash Functions as MACsKeyed Hash Functions as MACs want a MAC based on a hash function want a MAC based on a hash function
because hash functions are generally fasterbecause hash functions are generally faster crypto hash function code is widely availablecrypto hash function code is widely available
hash includes a key along with messagehash includes a key along with message
original proposal:original proposal:
Keyed Hash = Hash(Key | Message) Keyed Hash = Hash(Key | Message) some weaknesses were found with this some weaknesses were found with this
eventually led to development of HMAC eventually led to development of HMAC
HMAC HMAC Design ObjectivesDesign Objectives
use, without modifications, hash functionsuse, without modifications, hash functions
allow for easy replaceability of embedded hash functionallow for easy replaceability of embedded hash function
preserve original performance of hash function without preserve original performance of hash function without significant degradationsignificant degradation
use and handle keys in a simple way.use and handle keys in a simple way.
have well understood cryptographic analysis of have well understood cryptographic analysis of authentication mechanism strengthauthentication mechanism strength
HMACHMAC
specified as Internet standard RFC2104 specified as Internet standard RFC2104 uses hash function on the message:uses hash function on the message:
HMACHMACKK(M)= Hash[(K(M)= Hash[(K++ XOR opad) || XOR opad) || Hash[(KHash[(K++ XOR ipad) || M)] ] XOR ipad) || M)] ]
o MM is the message to be authenticated, is the message to be authenticated,o ∥ ∥ denotes concatenation,denotes concatenation,o ⊕ ⊕ denotes exclusive or (XOR),denotes exclusive or (XOR),o KK++ is the key padded out to sizeis the key padded out to sizeo opadopad, , ipad ipad are specified padding constants are specified padding constants any hash function can be usedany hash function can be used
E.g. MD5, SHA-1, RIPEMD-160, WhirlpoolE.g. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC HMAC OverviewOverview
HMACHMAC
Append zeros to the left end of K to create a b-bit string Append zeros to the left end of K to create a b-bit string K+ (if K is of length 160 bits and b = 512, then K will be K+ (if K is of length 160 bits and b = 512, then K will be appended with 44 zero bytes).appended with 44 zero bytes).
HMAC HMAC SecuritySecurity
proved proved security of HMAC relates to that of the underlying security of HMAC relates to that of the underlying hash algorithmhash algorithm
attacking HMAC requires either:attacking HMAC requires either: brute force attack on key usedbrute force attack on key used birthday attack (but since keyed would need to birthday attack (but since keyed would need to
observe a very large number of messages)observe a very large number of messages)
choose hash function used based on speed verses choose hash function used based on speed verses security constraintssecurity constraints