Message Authentication and Hash Functions

(1)

Authentication Requirements



 Kind of attacks (threats) in the context of communications acrossKind of attacks (threats) in the context of communications across

a network a network

1.

1. DisclosureDisclosure

2.

2. Traffic analysisTraffic analysis(discover the pattern)(discover the pattern)

3.

3. MasqueradeMasquerade(insert a message from a (insert a message from a fraudulent sourcefraudulent source))

4.

4. Content modificationContent modification

5.

5. Sequence modificationSequence modification(inse(insert,rt, deledelete,te, reoreorderrder))

6.

6. Timing modificationTiming modification(delay or replay)(delay or replay) 7.

7. SourSourcece RepudiRepudiationation(denial of a transmission)(denial of a transmission)

8.

8. Destination RepudiationDestination Repudiation(denial of a receipt)(denial of a receipt)



 Measures to deal with first two Measures to deal with first two attacksattacks::



 In the realm of messageIn the realm of message confidentialityconfidentiality, and , and are aare addrddressessed wied withth encryption

encryption



 Measures to deal with items 3 thru Measures to deal with items 3 thru 66



 MessageMessage authenticationauthentication



 Measures to deal with items 7 and Measures to deal with items 7 and 88



 Digital signatureDigital signature



 Message authenticationMessage authentication



A procedure to verify that messages come from the allegedA procedure to verify that messages come from the alleged source and have not been altered

source and have not been altered



MeMessssagage e auauththenentiticacatition on mamay y alalso so vvererifify y seseququenencicing ng anandd timeliness

timeliness



 Digital signatureDigital signature



An authentication techniqueAn authentication technique that also includes measures to counterthat also includes measures to counter repudiation by either source or destination

repudiation by either source or destination

Authentication Requirements

(2)



 Message authentication or digital signature mechanism Message authentication or digital signature mechanism can becan be

viewed as having two levels viewed as having two levels



authenticator and High level authentication protocolauthenticator and High level authentication protocol



 ThThrree ee clclasasseses s of of fufuncnctitionons s cacan n be be usused ed to to prprododucuce e anan

authenticator authenticator



Message encryptionMessage encryption 

 Ciphertext itself serves as authenticatorCiphertext itself serves as authenticator



Message authentication codMessage authentication code (MAC)e (MAC) 

 A public function of the message and a secret key that producesA public function of the message and a secret key that produces

a fixed-length value that serves as the authenticator a fixed-length value that serves as the authenticator



Hash functionHash function 

 A public function that maps a message of A public function that maps a message of any length into a fixed-any length into a

fixed-length hash

length hash value,value, which serves as the authwhich serves as the authenticatorenticator

Authentication Functions



 ConvConventional encryption can entional encryption can serve as serve as authenticaauthenticatortor



 ConConveventiontional nal encencrypryptiotion n prprovovideidess authenticationauthentication aas s wweelll l aass

confidentiality confidentiality



 if symmetric encryption is used then:if symmetric encryption is used then:



receiver knows sender must have created itreceiver knows sender must have created it



knows content cannot be altered, if message has suitable structure,knows content cannot be altered, if message has suitable structure, redundancy or a checksum to detect any changes

redundancy or a checksum to detect any changes



 if public-keif public-key y encryption is used:encryption is used:



encryption provides confidentialityencryption provides confidentiality, but not , but not authenticationauthentication



can provide authentication as well as signature, but at the cost of can provide authentication as well as signature, but at the cost of two public ke

two public key uses y uses on the message.on the message.

Message Encryption

(3)

Basic Uses of

Message Encryption



Append an error-detecting code

Append an error-detecting code (fram

(frame

e chec

check

k sequence

sequence

(FCS))

(FCS)) to each message

to each message

Ways of Providing

(4)

Implicat

ions of

Message Encryption



 Uses a shared secret key to generate a fixed-size block of dataUses a shared secret key to generate a fixed-size block of data

(k

(knonown wn as as a a crcrypyptotogrgrapaphihic c chchececksksum um or or MAMAC) C) ththaat t isis appended to the message

appended to the message



 MAC = CMAC = C_K_K(M)(M)



 Assurances:Assurances:



 Message has not been altered Message has not been altered



 Message is from alleged sender Message is from alleged sender



 Message sequence is unaltered (requires internal sequencing)Message sequence is unaltered (requires internal sequencing)



 SiSimimilalar r to to enencrycryptptioion n bubut t MAMAC C alalgorgoritithm hm neneed ed nonot t bebe

reversible reversible

Message Authentication Code

(5)

Basic Uses of MAC

Basic Uses of

(6)

Where MAC’s are used??



 In applications where the same message is broadcast to aIn applications where the same message is broadcast to a

number of destinations, it is sent in plaintext with associated number of destinations, it is sent in plaintext with associated MAC to prove authentication.

MAC to prove authentication.



 Situations where authentication cannot be done for everySituations where authentication cannot be done for every

message,

message, but obut on selective n selective messagesmessages



 Authentication of a computer program in plaintext is veryAuthentication of a computer program in plaintext is very

attractive and also prove

attractive and also proves s integrityintegrity



 In applications where the message need not be kept secret,In applications where the message need not be kept secret,

but it is very important

but it is very important to authenticate messagesto authenticate messages



 AcceAccepts a pts a variavariable-sble-size message M ize message M as as input and produceinput and produces s a a fixfixed-

ed-size hash code H(M){ some times called message digest} as output size hash code H(M){ some times called message digest} as output



 The hash code is a function of all the bits of the message andThe hash code is a function of all the bits of the message and

provides an

provides an error-detection error-detection capabilitycapability..



 Can be used with encryption for authenticationCan be used with encryption for authentication

  E(M || H)E(M || H)   M || E(H)M || E(H)   M || signed HM || signed H 

 E( M || signed H E( M || signed H ) gives confidentiality) gives confidentiality

  M || H( M || K )M || H( M || K )   E( M || H( M || K ) E( M || H( M || K ) ))

Hash Function

(7)

Basic Uses of Hash Function

(8)

Basic Uses of Hash Function



 Assume that an opponent knows the MAC function C but doesAssume that an opponent knows the MAC function C but does

not know K. Then the MAC function should have the following not know K. Then the MAC function should have the following properties

properties

MAC= C MAC= C_K_K(M)(M)

1.

1. Given M and CGiven M and C_kk(M), it must be computationally infeasible to(M), it must be computationally infeasible to

construct

construct M’M’s.ts.t.. CC_k_k(M’)(M’) = C= C_k_k(M)(M)

2.

2. CC_K_K(M) should be uniformly distributed in the sense that for any(M) should be uniformly distributed in the sense that for any

M and

M and M’,M’, _Pr[C_Pr[C_k_k_{(M) = C}_{(M) = C}_k_k_(M’)]_{(M’)] should be 2}_{should be 2}-n-n_{, where n is}_{, where n is}

the length of the

the length of the MAMACC

3.

3. LetLet M’M’ be equal to be equal to some known transsome known transformatiformation on on M. That on M. That is,is,

M’

M’= f(M).= f(M). In that case,

In that case, Pr[CPr[C_k_k(M) = C(M) = C_k_k(M’)](M’)] = 2= 2-n-n_,,

Requirements for MAC Functions

(9)



 Uses CBC mode of operation of DES with IV Uses CBC mode of operation of DES with IV = 0= 0 

 Referred to Referred to as Data Authenas Data Authentication tication Algorithm (FIPS Algorithm (FIPS PUB 113 PUB 113 and ANSand ANSII

standard (X9.17)) standard (X9.17))

O

O_N_N= E= E_K_K(D(D_N_NXOR OXOR O_N-1_N-1))



 Data Authentication Code (DAC) consists of 16 to 64 leftmost bits of OData Authentication Code (DAC) consists of 16 to 64 leftmost bits of O_N_N

MAC Based on DES



 h = H(M)h = H(M)



 M is a variable-length message, h is a fixed-length hash value,M is a variable-length message, h is a fixed-length hash value,

H is a hash function H is a hash function



 The hash value is The hash value is appended at the sourceappended at the source



 The receiver authenticates the message by recomputing theThe receiver authenticates the message by recomputing the

hash value hash value



 BeBecacaususe e ththe e hahash sh fufuncnctiotion n ititseself lf is is nonot t coconsnsididerered ed to to bebe

secret,

secret, some means is required to prsome means is required to protect the hash valueotect the hash value

Hash Functions

(10)

1.

1. H can be applied to any size data blockH can be applied to any size data block

2.

2. H produces fixed-length H produces fixed-length outputoutput

3.

3. H(x) is relativelH(x) is relatively easy to compute for y easy to compute for any given xany given x

4.

4. H isH is one-way one-way , i.e., given h, it is computationall, i.e., given h, it is computationally infeasible y infeasible toto find an

find any x s.t.y x s.t. h = H(x)h = H(x)

5.

5. H H isis weakly collision resistantweakly collision resistant: given x, it is computationally: given x, it is computationally infeasible to find any y

infeasible to find any y  x x ss..tt.. HH((xx) ) = = HH((yy))

6.

6. H isH is strongly collision resistantstrongly collision resistant: it is : it is computationallcomputationally infeasibley infeasible to

to find find anany x y x and and y y s.t. s.t. H(x) H(x) = H= H(y)(y)

Hash Function

Requirements



 One-waOne-way property y property is essential is essential for authenticationfor authentication



 Weak collision resistance is necessary to prevent forgeryWeak collision resistance is necessary to prevent forgery



 StrStrong ong colcollislision ion reresissistantance ce is is impimportaortant nt for for reresistsistanance ce toto

birthday attack birthday attack

Hash Function Requirements

(11)

HASH Algorithms



 MD5 Message MD5 Message Digest ADigest Algorithmlgorithm



 Secure Hash Secure Hash Algorithm (SHA-1 Algorithm (SHA-1 and SHA-512)and SHA-512)



 RIPEMD-160RIPEMD-160



 HMACHMAC

Hash Algorithm Structure



 The hash algorithm involves repeated use of a compressionThe hash algorithm involves repeated use of a compression

function, f, that takes two inputs(an n-bit input from the function, f, that takes two inputs(an n-bit input from the previou

previous step s step and a b-bit block) and a b-bit block) and produces an n-bit outputand produces an n-bit output



(12)

MD5 Message Digest Algorithm



 Developed by Ron Rivest at MITDeveloped by Ron Rivest at MIT 

 Input: a message of arbitrary lengthInput: a message of arbitrary length 

 Output: 128-bit message digestOutput: 128-bit message digest 

 32-bit word units, 512-bit blocks32-bit word units, 512-bit blocks



 Step 1: Append padding bitsStep 1: Append padding bits



 Padded so that its bit Padded so that its bit lengthlength448 mod 512 (i.e., the length of padded message is 64448 mod 512 (i.e., the length of padded message is 64

bits less than an integer multiple of

bits less than an integer multiple of 512 bits)512 bits)



 Padding is always added, even if the message is already of the desired lengthPadding is always added, even if the message is already of the desired length

(1 to 512 bits) (1 to 512 bits)



 Padding bits: 1000….0 (a single 1Padding bits: 1000….0 (a single 1 -bit followed by the necessary number of 0-bit followed by the necessary number of 0 -bits-bits))



 Step 2: Append lengthStep 2: Append length



 64-bit length: 64-bit length: contains the lengtcontains the length of the original messah of the original message modulo 2ge modulo 26464



 The expanded message is YThe expanded message is Y₀₀, Y, Y₁₁, …, Y, …, Y_L-1_L-1; the total length is L; the total length is L512 bits512 bits



 The expanded mThe expanded message can be thought of aessage can be thought of as a multiple of 16 s a multiple of 16 32-bit words32-bit words

Let M[0 … N

Let M[0 … N-1] denote the word of the resulting message, where N = L-1] denote the word of the resulting message, where N = L 1616

MD5 Logic

(13)



 Step 3: Initialize MD bufferStep 3: Initialize MD buffer



 128-bit buffer (four 32-bit registers A,B,C,D) is used to hold intermediate and128-bit buffer (four 32-bit registers A,B,C,D) is used to hold intermediate and

final results of the hash function final results of the hash function



 A,B,C,D are initialized to the A,B,C,D are initialized to the following valuesfollowing values



 A = 67452301, B = EFCDAB89, C = 98BADCFE, D = 103254A = 67452301, B = EFCDAB89, C = 98BADCFE, D = 103254 7676 

 Stored inStored inlittle-endianlittle-endianformat (least significant byte of a word in the low-format (least significant byte of a word in the

low-address byte position) address byte position)



 E.g. word A: 01 23 45 67 E.g. word A: 01 23 45 67 (low address … high address)(low address … high address) 

 Step 4: Process message in 512-bit (16-word) blocksStep 4: Process message in 512-bit (16-word) blocks



 Heart of the algorithm called aHeart of the algorithm called acompression functioncompression function



 Consists of 4 roundsConsists of 4 rounds



 The 4 rounds have a The 4 rounds have a similar structure, but each uses a differentsimilar structure, but each uses a differentprimitive logicalprimitive logical functions

functions, referred to as F, G, H, and I, referred to as F, G, H, and I



 Each round takes as input the current 512-bit block (YEach round takes as input the current 512-bit block (Y_q_q), 128-bit buffer value), 128-bit buffer value

ABCD and updates the contents of the buffer ABCD and updates the contents of the buffer



 Each round also uses the table T[1 Each round also uses the table T[1 … 64], constructed from the sine function;… 64], constructed from the sine function;

T[i] = 2

T[i] = 23232___abs(sin(i))_abs(sin(i))



 The output of 4The output of 4ththround is added to the CVround is added to the CV_q_qto produce CVto produce CV_q+1_q+1

MD5 Logic

 

(14)



 Table T, constructed from the sine functionTable T, constructed from the sine function

–

– T[i] = integer part of 2T[i] = integer part of 23232___{abs(sin(i)), where i is in radians}_{abs(sin(i)), where i is in radians}

MD5 Logic



 Step 5: OutputStep 5: Output



 After all L 512-bit blocks have been processed, the output from After all L 512-bit blocks have been processed, the output from the Lthe Lththstage isstage is

the 128-bit message digest the 128-bit message digest



 CV CV ₀₀= IV = IV

CV

CV _q+1_q+1= SUM = SUM ₃₂₃₂(CV (CV _q_q, RF, RF_I_I[Y [Y _q_q, RF, RF_H_H[Y [Y _q_q, RF, RF_G_G[Y [Y _q_q, RF, RF_F_F[Y [Y _q_q, CV , CV _q_q]]])]]]) MD = CV

MD = CV _L_L

where where

IV

IV = = iniinitiatial l vavalue lue of of the the ABABCD CD bufbuffefer, r, defdefineined d in in stestep p 33 Y

Y_q_q = the q= the qthth_{512-bit block of}_{512-bit block of the message}_{the message}

L

L = = the the numnumber ber of of bloblockcks s in in the the memessssagage e (in(inclucludinding g padpaddinding g andand length fields)

length fields) CV

CV_q_q = chaining variable processed with the q= chaining variable processed with the qthth_{block of the message}_{block of the message}

RF

RF_x_x = round function using primitive logical function x= round function using primitive logical function x MD

MD = = finfinal al memessssagage e digdigesest t valvalueue SUM

SUM₃₂₃₂= addition modulo 2= addition modulo 23232_{performed separately on each word}_{performed separately on each word}

MD5 Logic

(15)

MD5 Compression Function



 Each round consists of a sequence of 16 steps operating on theEach round consists of a sequence of 16 steps operating on the

buffer ABCD buffer ABCD



 Each step is of the formEach step is of the form

aa b + (( b + (( a + g(b, c, d) + a + g(b, c, d) + X[k] + X[k] + T[i] <<< s T[i] <<< s )) Where,

Where, a,b,c,d

a,b,c,d = the 4 words of the buffer, in a specified order that= the 4 words of the buffer, in a specified order that varies across steps

varies across steps g

g = one o= one of the f the primitivprimitive funce functions Ftions F,, GG,, H,H, II <<< s

<<< s = circular left shift (rotation) of the 32-bit arguments by s= circular left shift (rotation) of the 32-bit arguments by s bits

bits X[k]

X[k] = M[q= M[q  16 + k] = the k16 + k] = the kthth 32-bit word in the q32-bit word in the qthth 512-bit512-bit block of the message

block of the message T[i]

T[i] = the i= the ithth _{32-bit word}_{32-bit word in}_{in table}_{table T}_T

+

+ = addition modulo 2= addition modulo 23232

Elementary MD5 Operation (Single Step)

a

(16)



 One of the 4 primitive logical One of the 4 primitive logical functions is used in each 4 rounds of functions is used in each 4 rounds of

the algorithm the algorithm



 Each primitive function takes three 32-bit Each primitive function takes three 32-bit worwords as input ds as input andand

produces a 32-bit word output produces a 32-bit word output



 Each function performs a set Each function performs a set of bitwise logical operationsof bitwise logical operations

MD5 Primitive Logical Functions

Round

Round PrimiPrimitive tive function function g g g(b, g(b, c, c, d)d) 1 1 FF((bb, , cc, , dd) ) ((bb c)c) (b’(b’ d)d) 2 2 GG((bb, , cc, , dd) ) ((bb d)d) (c(c d’)d’) 3 3 HH((bb, , cc, , dd) ) bb cc dd 4 4 II((b b cc, , dd) ) cc (b(b d’)d’) b b c c d d F F G G H H II 0 0 0 0 0 0 0 0 0 0 0 0 11 0 0 0 0 1 1 1 1 0 0 1 1 00 0 0 1 1 0 0 0 0 1 1 1 1 00 0 0 1 1 1 1 1 1 0 0 0 0 11 1 1 0 0 0 0 0 0 0 0 1 1 11 1 1 0 0 1 1 0 0 1 1 0 0 11 1 1 1 1 0 0 1 1 1 1 0 0 00 1 1 1 1 1 1 1 1 1 1 1 1 00 Truth table Truth table 

 The array of 32-bit words X[0..15] holds the value of currentThe array of 32-bit words X[0..15] holds the value of current

512-bit input block being processed 512-bit input block being processed



 Within a round, each of the 16 words of X[i] is used exactlyWithin a round, each of the 16 words of X[i] is used exactly

once, during one step once, during one step



The order in which these words is used The order in which these words is used varies from round tovaries from round to round

round



In the first round, the words are used in their original orderIn the first round, the words are used in their original order



For rounds 2 through 4, the following permutations are usedFor rounds 2 through 4, the following permutations are used



₂₂(i) = (1 + 5i) mod 16(i) = (1 + 5i) mod 16



₃₃(i) = (5 + 3i) mod 16(i) = (5 + 3i) mod 16 

₄₄(I) = 7i mod 16(I) = 7i mod 16

X[k]

(17)



 Precursor to MD5Precursor to MD5



 Design goals of MD4Design goals of MD4 (which are carried (which are carried oveover to MD5)r to MD5)



 SecuritySecurity



 SpeedSpeed



 Simplicity and compactnessSimplicity and compactness



 FavFavor little-endian or little-endian architecturearchitecture



 Main differences between MD5 and MD4Main differences between MD5 and MD4

1.

1. A fourth round has been added.A fourth round has been added. 2.

2. Each step now has a unique additive constant.Each step now has a unique additive constant. 3.

3. The function g in round 2 was changed from (bc v bd v cd) toThe function g in round 2 was changed from (bc v bd v cd) to (bd v cd

(bd v cd’)’) to make g less symmetric.to make g less symmetric.

4.

4. Each step now adds in the result of the previous step. ThisEach step now adds in the result of the previous step. This promotes a faster "avalanche effect".

promotes a faster "avalanche effect".

5.

5. The order in which input words are accessed in rounds 2 and 3 isThe order in which input words are accessed in rounds 2 and 3 is changed,

changed, to make these patterns less like each otherto make these patterns less like each other..

6.

6. ThThe e shshifift t amamouountnts s in in eaeach ch rorounund d hahavve e bebeen en apapprproxoximimatatelelyy

optimized, to yield a faster "avalanche effect." The shifts in optimized, to yield a faster "avalanche effect." The shifts in different rounds are distinct.

different rounds are distinct.

MD4



SHA originally designed by NIST & NSA in 1993



was revised in 1995 as SHA-1



_{US standard for use with}

_{US standard for use with DSA signature scheme}

_{DSA signature scheme}



standard is FIPS 180-1 1995, also Internet RFC3174



nb

nb. the algorithm is

. the algorithm is SHA, the standard is SHS

SHA, the standard is SHS



based on design of

MD4MD4

with key differences



produces 160-bit hash values

Secure Hash Algorithm

(18)



NIST issued revision FIPS 180-2 in 2002



adds 3 additional versions of SHA



SHA-256, SHA-384, SHA-512



designed for compatibility with increased security

provided by the AES cipher



structure & detail is similar to

SHA-1



hence analysis should be similar



but security levels are rather higher

Re

vised Secure Hash

Standard

SHA-512 Overview

(19)

SHA-5

12 Algorithm

Steps



 Now examine the structure of Now examine the structure of SHA-512SHA-512, noting that the other versions are, noting that the other versions are

quite similar. quite similar.



 The processing consists of the following steps:The processing consists of the following steps:



 Step 1: Append padding bits:-Step 1: Append padding bits:- The message is padded so that its lengthThe message is padded so that its length is congruent to 896 modulo 1024

is congruent to 896 modulo 1024 [length =896 (mod 1024)][length =896 (mod 1024)]



 Step 2:Append length:-Step 2:Append length:- A block of 128 bits is appended to the messageA block of 128 bits is appended to the message



 StStep ep 3: 3: InInititiaialilize ze hahash sh bubufffferer:-:-A A 51512-2-bbit it bubuffffer er iis s usused ed to to hohold ld intermediate and final results of the hash function. The buffer can be intermediate and final results of the hash function. The buffer can be represented as eight 64-bit registers(a, b, c, d, e, f, g, h) and are represented as eight 64-bit registers(a, b, c, d, e, f, g, h) and are initialised as follows initialised as follows a = 6A09E667F3BCC908 a = 6A09E667F3BCC908 b = BB67AE8584CAA73B b = BB67AE8584CAA73B c = 3C6EF372FE94F82B c = 3C6EF372FE94F82B c = c = A54FF53A5F1D36F1A54FF53A5F1D36F1 e =

e = 510E527F510E527FADE682D1ADE682D1 f = 9B05688C2B3E6C1F f = 9B05688C2B3E6C1F g = 1F83D9ABFB41BD6B g = 1F83D9ABFB41BD6B h

h = = 5BE0CDI9137E2179 5BE0CDI9137E2179 {Stored in {Stored in big big endian endian format}format}

Algorithm Steps



 Step 4: PrStep 4: Process the mesocess the message in 1024-sage in 1024-bit (128-bit (128-woword) rd) blockblocks:-

s:-The heart of the algorithm is a module that consists of 80 The heart of the algorithm is a module that consists of 80 rounds.Each round takes as input the 512-bit buffer value rounds.Each round takes as input the 512-bit buffer value abcdefgh, and updates the contents of the buffer

abcdefgh, and updates the contents of the buffer ..



 Step 5: Output the final state value as the resulting hash:-Step 5: Output the final state value as the resulting hash:-After After all N 1024-bit blocks have been processed, the output from all N 1024-bit blocks have been processed, the output from tthhe e NNtth h ssttaagge e iis s tthhe e 551122--bbiit t mmeessssaagge e ddiiggeesst t ..

(20)

SHA-512 Processing of a

single 102

4-Bit Bloc

Elementary SHA

-5

12 Operation(Single

Round)

(21)

SHA-512 Round Function



 Each round is defined by the following set of equationsEach round is defined by the following set of equations

SHA-5

(22)



 The firstThe first 1616 values values of of WW_tt are taken directly from theare taken directly from the 1616 words of words of

the current block. The remaining values are defined as follows the current block. The remaining values are defined as follows

HMAC



 Increased Interest in recent years in developing a Increased Interest in recent years in developing a MAC based on a hash MAC based on a hash functionfunction 

 MD5 and SHA-1 run faster than symmetric block ciphers such as DESMD5 and SHA-1 run faster than symmetric block ciphers such as DES 

 Code for hash functions widely availableCode for hash functions widely available 

 No export restrictions for cryptographic hash functionsNo export restrictions for cryptographic hash functions



Cryptographic functions (even those used in Cryptographic functions (even those used in MAC) restricted MAC) restricted



 Hash values not intended for MACHash values not intended for MAC – – they are not protected by secret they are not protected by secret keyskeys



Some protection needs to be built on Some protection needs to be built on top of the hash valuetop of the hash value



 The one approach that gained wide The one approach that gained wide support is HMAC (RFC 2104) included in IPsupport is HMAC (RFC 2104) included in IP

security and SSL

security and SSL 

 Requirements for HMACRequirements for HMAC



 Use existing hash functionsUse existing hash functions



 The hash function can be easily replaced by another oneThe hash function can be easily replaced by another one _–_–treat the hashtreat the hash function as a black box

function as a black box



 PreserPreserve the performance of the ve the performance of the hash functionhash function



(23)

HMAC Algorithm



 hash includes a key along with messagehash includes a key along with message



 original original proposaproposal:l:

KeyedHash = Hash(Key|Message) KeyedHash = Hash(Key|Message)



 some weaknesses wersome weaknesses were found with e found with thisthis



 eventually led to development of HMACeventually led to development of HMAC



 specified as Internet standardspecified as Internet standard RFC2104RFC2104



 Idea:Idea:append a secret key to the message append a secret key to the message and compute the hashand compute the hash

value value



TTo o aavovoid id a a brbrutute-fe-fororce ce atattatackck, appl, apply y ththe e hahash sh twtwicice e to to manmanglegle thoroughly the bits of the key with those of the message

thoroughly the bits of the key with those of the message



 H H =embedded hash function=embedded hash function 

 IV IV =initial value to =initial value to the has functionthe has function 

 M M =message input to HMAC (including the padding specific to the=message input to HMAC (including the padding specific to the

hash function) hash function)



 YYii=i-th block of M =i-th block of M 

 LL=number of blocks in M =number of blocks in M 

 bb=number of bits in a block =number of bits in a block 

 nn=length of the hash code=length of the hash code 

 K K =secret key, if its length is greater than b=secret key, if its length is greater than b _–_–will be given as input will be given as input

to the hash function to produce n-bit key to the hash function to produce n-bit key

HMAC Algorithm

(24)

HMAC Overview

1.

1. Append zeros to the left end of K to create a b-bit stringAppend zeros to the left end of K to create a b-bit string

K

K++(e.g., if K is of length 160 bits and b = 512 then K will be(e.g., if K is of length 160 bits and b = 512 then K will be appended with 44 zero bytes 0 x

appended with 44 zero bytes 0 x 00).00).

2.

2. XOR (bitwise exclusive-OR) KXOR (bitwise exclusive-OR) K++ with ipad to produce the b-with ipad to produce the

b-bit block S bit block S_ii..

3.

3. Append M to SAppend M to S_ii..

4.

4. Apply H to the stream generated in Apply H to the stream generated in step 3.step 3.

5.

5. XOR KXOR K++ with opad to produce the b-bit block Swith opad to produce the b-bit block S_oo

6.

6. Append the hash result from step 4 to SAppend the hash result from step 4 to S_oo

7.

7. Apply H to the stream generated in step 6 and output theApply H to the stream generated in step 6 and output the

result. result.

HMAC Algorithm

(25)

A more eff

icient impleme

ntation

The following two values are The following two values are Precomputed:

Precomputed:

HMAC Security



 proved security of HMAC relates to that of the underlyingproved security of HMAC relates to that of the underlying

hash algorithm hash algorithm



 attacking HMAC requires either:attacking HMAC requires either:



Brute-force attack Brute-force attack requires an effort on the level 2requires an effort on the level 2n-1n-1_{for a}_{for a}

key of length n key of length n



Birthday attack Birthday attack :-

:-

The main idea in this attack is that attacker can compute theThe main idea in this attack is that attacker can compute the hash values of many messages and try to find a match

hash values of many messages and try to find a match



In HMAC, he is unable to do that because the hash is protectedIn HMAC, he is unable to do that because the hash is protected by a secret key

by a secret key



attacker will have to rely on messages that he observes on theattacker will have to rely on messages that he observes on the link:- for MD5 she will have to

link:- for MD5 she will have to wait in average for 2wait in average for 26464_messages_messages