CN-5.ppt

(1)

Cryptography and

Network Security

Chapter 11

Fourth Edition

by William Stallings

(2)

Chapter 11 –

Message

Authentication and Hash

Functions

 _{At cats' green on the Sunday he took the message from}_{At cats' green on the Sunday he took the message from} the inside of the pillar and added Peter Moran's name to

the inside of the pillar and added Peter Moran's name to

the two names already printed there in the "Brontosaur"

code. The message now read: “Leviathan to Dragon:

Martin Hillman, Trevor Allan, Peter Moran: observe and

tail.” What was the good of it John hardly knew. He felt

better, he felt that at last he had made an attack on Peter

Moran instead of waiting passively and effecting no

retaliation. Besides, what was the use of being in

possession of the key to the codes if he never took

advantage of it?

(3)

Message Authentication

 message authentication is concerned with: _{message authentication is concerned with:}  protecting the integrity of a message protecting the integrity of a message

 validating identity of originator validating identity of originator

 non-repudiation of origin (dispute resolution)non-repudiation of origin (dispute resolution)  will consider the security requirements_{will consider the security requirements}  then three alternative functions used:_{then three alternative functions used:}

 message encryptionmessage encryption

(4)

Security Requirements



disclosure



traffic analysis



masquerade



content modification



sequence modification



timing modification



source repudiation

(5)

Message Encryption



message encryption by itself also provides

a measure of authentication



if symmetric encryption is used then:

 receiver know sender must have created itreceiver know sender must have created it  since only sender and receiver now key usedsince only sender and receiver now key used  know content cannot of been alteredknow content cannot of been altered

 if message has if message has suitable structure, redundancy suitable structure, redundancy

(6)

Message Encryption



if public-key encryption is used:

 encryption provides no confidence of senderencryption provides no confidence of sender  since anyone potentially knows public-keysince anyone potentially knows public-key  however if however if

• sender _sendersignssigns message using their private-key message using their private-key

• then encrypts with recipients public key_{then encrypts with recipients public key}

• have both secrecy and authentication_{have both secrecy and authentication}

(7)

Message Authentication Code

(MAC)



generated by an algorithm that creates a

small fixed-sized block

 depending on both message and some keydepending on both message and some key  like encryption though need not be reversiblelike encryption though need not be reversible



appended to message as a

signature



receiver performs same computation on

message and checks it matches the MAC



provides assurance that message is

(8)

Message Authentication Code

(9)

Message Authentication

Codes

 as shown the MAC provides authentication_{as shown the MAC provides authentication}  can also use encryption for secrecy_{can also use encryption for secrecy}

 generally use separate keys for eachgenerally use separate keys for each

 can compute MAC either before or after encryptioncan compute MAC either before or after encryption  is generally regarded as better done beforeis generally regarded as better done before

 why use a MAC?_{why use a MAC?}

 sometimes only authentication is neededsometimes only authentication is needed

 sometimes need authentication to persist longer than sometimes need authentication to persist longer than the encryption (eg. archival use)

the encryption (eg. archival use)

(10)

MAC Properties



a MAC is a cryptographic checksum

MAC = C

MAC = CKK(M)(M)

 condenses a variable-length message Mcondenses a variable-length message M  using a secret key Kusing a secret key K

 to a fixed-sized authenticatorto a fixed-sized authenticator



is a many-to-one function

(11)

Requirements for MACs



taking into account the types of attacks



need the MAC to satisfy the following:

1.

1. knowing a message and MAC, is infeasible knowing a message and MAC, is infeasible

to find another message with same MAC to find another message with same MAC

2.

2. MACs should be uniformly distributedMACs should be uniformly distributed

3.

3. MAC should depend equally on all bits of the MAC should depend equally on all bits of the

(12)

Using Symmetric Ciphers for

MACs



can use any block cipher chaining mode

and use final block as a MAC



Data Authentication Algorithm (DAA)

is

a widely used MAC based on DES-CBC

 using IV=0 and zero-pad of final blockusing IV=0 and zero-pad of final block

 encrypt message using DES in CBC modeencrypt message using DES in CBC mode  and send just the final block as the MACand send just the final block as the MAC

• or the leftmost M bits (16_{or the leftmost M bits (16}≤M≤64) of final block≤M≤64) of final block

(13)

(14)

Hash Functions



condenses arbitrary message to fixed size

h = H(M)



usually assume that the hash function is

public and not keyed

 cf. MAC which is keyedcf. MAC which is keyed



hash used to detect changes to message



can use in various ways with message

(15)

Hash Functions & Digital

(16)

Requirements for Hash

Functions

1.

1. can be applied to any sized message can be applied to any sized message M_M

2.

2. produces fixed-length output produces fixed-length output hh

3.

3. is easy to compute is easy to compute h=H(M)h=H(M) for any message for any message MM

4.

4. given given h_h is infeasible to find is infeasible to find x_x s.t. s.t. H(x)=h_H(x)=h

• one-way propertyone-way property

5.

5. given given xx is infeasible to find is infeasible to find yy s.t s.t. H(y)=H(x). H(y)=H(x)

• weak collision resistanceweak collision resistance

6.

6. is infeasible to find any is infeasible to find any x,y_x,y s.t s.t. H(y)=H(x)_{. H(y)=H(x)}

(17)

Simple Hash Functions



are several proposals for simple functions



based on XOR of message blocks



not secure since can manipulate any

message and either not change hash or

change hash also



need a stronger cryptographic function

(18)

Birthday Attacks

 might think a 64-bit hash is secure_{might think a 64-bit hash is secure}  _{but by}_{but by}_{Birthday Paradox}_{Birthday Paradox}_{is not}_{is not}

 _{birthday attack}_{birthday attack}_{works thus:}_{works thus:}

 opponent generates 2opponent generates 2mm//₂₂variations of a valid message variations of a valid message all with essentially the same meaning

all with essentially the same meaning

 opponent also generates 2opponent also generates 2mm//₂₂ variations of a desired variations of a desired fraudulent message

fraudulent message

 two sets of messages are compared to find pair with two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) same hash (probability > 0.5 by birthday paradox)

 have user sign the valid message, then substitute the have user sign the valid message, then substitute the forgery which will have a valid signature

forgery which will have a valid signature

(19)

Block Ciphers as Hash

Functions



can use block ciphers as hash functions

 using Husing H

0

0=0 and zero-pad of final block=0 and zero-pad of final block

 compute: Hcompute: H

i

i = E = EMM_i_i [H [Hi-1i-1]]

 and use final block as the hash valueand use final block as the hash value

 similar to CBC but without a keysimilar to CBC but without a key



resulting hash is too small (64-bit)

 both due to direct birthday attackboth due to direct birthday attack

 and to “meet-in-the-middle” attackand to “meet-in-the-middle” attack

(20)

Hash Functions & MAC

Security



like block ciphers have:



brute-force

attacks exploiting

 strong collision resistance hash have cost 2strong collision resistance hash have cost 2mm//₂₂ • have proposal for h/w MD5 cracker_{have proposal for h/w MD5 cracker}

• 128-bit hash looks vulnerable, 160-bits better_{128-bit hash looks vulnerable, 160-bits better}

 MACs with known message-MAC pairsMACs with known message-MAC pairs

• can either attack keyspace (cf key search) or MAC_{can either attack keyspace (cf key search) or MAC}

(21)

Hash Functions & MAC

Security

 cryptanalytic attacks_{cryptanalytic attacks} exploit structure_{exploit structure}

 like block ciphers want brute-force attacks to be the like block ciphers want brute-force attacks to be the best alternative

best alternative

 have a number of analytic attacks on iterated _{have a number of analytic attacks on iterated}

hash functions hash functions

 CVCV

i

i = f[CV = f[CVi-1i-1, M, Mii]; H(M)=CV]; H(M)=CVNN

 typically focus on collisions in function ftypically focus on collisions in function f

(22)

Summary



have considered:

 message authentication usingmessage authentication using  message encryptionmessage encryption

 MACsMACs

 hash functionshash functions