1 / 42

PIS : Unit III MAC & Hash Protocols

PIS : Unit III MAC & Hash Protocols. Sanjay Rawat Sanjay_r@vnrvjiet.in. Based on the slides of Lawrie Brown together with the book “Cryptography and Network Security” by William Stalling. Hash and MAC Algorithms. Recall that … Hash Functions

marie
Download Presentation

PIS : Unit III MAC & Hash Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PIS: Unit IIIMAC & Hash Protocols Sanjay Rawat Sanjay_r@vnrvjiet.in Based on the slides of Lawrie Brown together with the book “Cryptography and Network Security” by William Stalling. PIS Unit 3 Message Auth Sanjay Rawat

  2. Hash and MAC Algorithms • Recall that … • Hash Functions • condense arbitrary size message to fixed size • by processing message in blocks • through some compression function • either custom or block cipher based • Message Authentication Code (MAC) • fixed sized authenticator for some message • to provide authentication for message • by using block cipher mode or hash function

  3. A Typical Hash Algorithm Structure

  4. Secure Hash Algorithm • SHA originally designed by NIST & NSA in 1993 • was revised in 1995 as SHA-1 • US standard for use with DSA signature scheme • standard is FIPS 180-1 1995, also Internet RFC3174 • nb. the algorithm is SHA, the standard is SHS • based on design of MD4 with key differences • produces 160-bit hash values • recent 2005 results on security of SHA-1 have raised concerns on its use in future applications

  5. Revised Secure Hash Standard • NIST issued revision FIPS 180-2 in 2002 • adds 3 additional versions of SHA • SHA-256, SHA-384, SHA-512 • designed for compatibility with increased security provided by the AES cipher • structure & detail is similar to SHA-1 • hence analysis should be similar • but security levels are rather higher

  6. SHA-512 • Step 1: Append padding bits. • The message is padded so that its length ≡ 896 (mod 1024). • Padding is always added, even if the message is already of the desired length. • the number of padding bits is in the range of 1 to 1024. • The padding consists of a single 1-bit followed by the necessary number of 0-bits. PIS Unit 3 Message Auth Sanjay Rawat

  7. SAH-512 • Step 2: Append length. • A block of 128 bits is appended to the message. • contains the length of the original message (before the padding). • This block is treated as an unsigned 128-bit integer (most significant byte first). • The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in length. The expanded message is represented as the sequence of 1024-bit blocks M1, M2,..., MN. PIS Unit 3 Message Auth Sanjay Rawat

  8. SHA-512 • Step 3: Initialize hash buffer. • A 512-bit buffer is used to hold intermediate and final results of the hash function. • The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h). • a = 6A09E667F3BCC908; b = BB67AE8584CAA73B • c = 3C6EF372FE94F82B; c = A54FF53A5F1D36F1 • e = 510E527FADE682D1; f = 9B05688C2B3E6C1F • g = 1F83D9ABFB41BD6B; h = 5BE0CDI9137E2179 PIS Unit 3 Message Auth Sanjay Rawat

  9. SHA-512 • Step 4: Process message in 1024-bit (128-word) blocks. • The heart of the algorithm is a module F that consists of 80 rounds!! • Each round t takes as input: • 512-bit buffer value abcdefgh, and updates the contents of the buffer Hi-1. • 64-bit value Wt, derived from Mi. • additive constant Kt. • The output of the 80th round is added to the input to the 1st round (Hi-1) to produce Hi PIS Unit 3 Message Auth Sanjay Rawat

  10. Step 5: Output. • After all N 1024-bit blocks have been processed, the output from the Nth stage is the 512-bit message digest. PIS Unit 3 Message Auth Sanjay Rawat

  11. SHA-512 Overview

  12. SHA-512 overview • H0 = IV • Hi = SUM64(Hi-1, abcdefghi) • MD = HN • where • IV = initial value of the abcdefgh buffer, defined in step 3 • abcdefghi= the output of the last round of processing of the ithmessage block • N = the number of blocks in the message • SUM64= Addition modulo 264 performed separately on each word of the pair of inputs • MD = final message digest value PIS Unit 3 Message Auth Sanjay Rawat

  13. SHA-512 Round Function • heart of the algorithm • processing message in 1024-bit blocks • consists of 80 rounds • updating a 512-bit buffer • using a 64-bit value Wtderived from the current message block • and a round constant Kt based on cube root of first 80 prime numbers.

  14. Round function • Each round is defined by the following set of equations: PIS Unit 3 Message Auth Sanjay Rawat

  15. Round function • Where: • t =step number; 0 - 79 • Ch(e, f, g)= (e AND f) XOR (!e AND g) • Maj(a, b, c) = (a AND b) XOR (a AND c) XOR (b AND c). PIS Unit 3 Message Auth Sanjay Rawat

  16. Where • ROTRn(x) = circular right shift (rotation) of the 64-bit argument x by n-bits • Wt= a 64-bit word derived from the current 1024-bit input block (explained next) • Kt= a 64-bit additive constant • + = addition modulo 264 PIS Unit 3 Message Auth Sanjay Rawat

  17. Round Function PIS Unit 3 Message Auth Sanjay Rawat

  18. SHA-512 Round Function

  19. Deriving Wts • The first 16 values of Wt are taken directly from the 16 words of the current block. • The remaining values are defined as follows: where ROTRn(x)= circular right shift (rotation) of the 64-bit argument x by n-bits SHRn(x)= left shift of the 64-bit argument x by n-bits with padding by zeros on the right PIS Unit 3 Message Auth Sanjay Rawat

  20. SHA-512 Round Function

  21. Whirlpool • endorsed by European NESSIE project • uses modified AES internals as compression function • addressing concerns on use of block ciphers seen previously • with performance comparable to dedicated algorithms like SHA PIS Unit 3 Message Auth Sanjay Rawat

  22. Features • The hash code length is 512 bits, equaling the longest hash code available with SHA. • The overall structure of the hash function is one that has been shown to be resistant to the usual attacks on block-cipher-based hash codes. • The underlying block cipher is based on AES -> S/H implementation friendly. PIS Unit 3 Message Auth Sanjay Rawat

  23. Security • The expected workload of generating a collision is of the order of 2n/2 executions of Whirlpool. • Given an n-bit value, the expected workload of finding a message that hashes to that value is of the order of 2n executions of Whirlpool. • Given a message and its n-bit hash result, the expected workload of finding a second message that hashes to the same value is of the order of 2n executions of Whirlpool. • It is infeasible to detect systematic correlations between any linear combination of input bits and any linear combination of bits of the hash result, or to predict what bits of the hash result will change value when certain input bits are flipped => resistance against linear and differential attacks. PIS Unit 3 Message Auth Sanjay Rawat

  24. High Level overview PIS Unit 3 Message Auth Sanjay Rawat

  25. Logic • Given a message as blocks m1, m2,..., mt : • H0= initial value • Hi= E(Hi-1, mi) XOR Hi-1 XOR mi = intermediate value • Ht= hash code value • Various steps are explained next. PIS Unit 3 Message Auth Sanjay Rawat

  26. Whirlpool steps • Step 1: Append padding bits. • The message is padded so that its length in bits is an odd multiple of 256. • Step 2: Append length. • A block of 256 bits is appended to the message. This block is treated as an unsigned 256-bit integer (most significant byte first) and contains the length in bits of the original message. • Message is represented as t blocks of 512-bits each, arranged in a 8x8 matrix of bytes. PIS Unit 3 Message Auth Sanjay Rawat

  27. Steps conti… • Step 3: Initialize hash matrix. • An 8 x 8 matrix of bytes is used to hold intermediate and final results of the hash function. • The matrix is initialized as consisting of all 0-bits. • Step 4: Process message in 512-bit (64-byte) blocks. • The heart of the algorithm is the block cipher W (based on AES). PIS Unit 3 Message Auth Sanjay Rawat

  28. High Level View PIS Unit 3 Message Auth Sanjay Rawat

  29. W vs. AES PIS Unit 3 Message Auth Sanjay Rawat

  30. Function W • Like AES, W takes a 512-bit block of plaintext (CState matrix) and a 512-bit key (KState) as input and produces a 512-bit block of ciphertext as output. • The encryption algorithm involves: • add key (AK), • substitute bytes (SB), • shift columns (SC), and • mix rows (MR) PIS Unit 3 Message Auth Sanjay Rawat

  31. 2. substitute bytes (SB) • Each byte of CState is substituted using a S-box (like AES i.e. left 4-bit for row and remaining for coloumn). PIS Unit 3 Message Auth Sanjay Rawat

  32. 3. shift columns (SC) • causes a circular downward shift of each column of CState. • 1st column-- 0-byte • 2nd column– 1-byte • 3rd column– 2-byte ad so on PIS Unit 3 Message Auth Sanjay Rawat

  33. 4. mix rows (MR) • Brings in diffusion. • Each byte of a row is mapped into a new value that is a function of all eight bytes in that row. B= AxC, where A: input matrix, B: output matrix, and C:transformation matrix. • additions and multiplications are performed in GF(28) with the irreducible polynomial f(x) = x8+ x4+ x3+ x2+ 1. PIS Unit 3 Message Auth Sanjay Rawat

  34. Diffusion matrix C PIS Unit 3 Message Auth Sanjay Rawat

  35. 1. add key (AK) layer • the 512 bits of Cstate are bitwise XORed with the 512 bits of the round key Kr. • B = AK[Kr]xA • 10 round keys are derived from the W itself, with round constants RC[r] as keys. • RC[r]0,j=S[8(r-1)+j], 0 ≤ j≤7 and 0 ≤ r ≤10 • RC[r]i,j=0, 1 ≤ i≤7, 0 ≤ j ≤7 and 0 ≤ r ≤10 PIS Unit 3 Message Auth Sanjay Rawat

  36. AK conti.. • With round constants, the key schedule expands the 512-bit cipher key K onto a sequence of round keys K0, K1, . . ., K10: • K0=K • Kr= RF[RC[r]](Kr-1 ), where RF is round function of W i.e. PIS Unit 3 Message Auth Sanjay Rawat

  37. Key expansion overview PIS Unit 3 Message Auth Sanjay Rawat

  38. Keyed Hash Functions as MACs • want a MAC based on a hash function • because hash functions are generally faster • code for crypto hash functions widely available • hash includes a key along with message • original proposal: KeyedHash = Hash(Key|Message) • some weaknesses were found with this • eventually led to development of HMAC

  39. HMAC • specified as Internet standard RFC2104 • uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] • where K+ is the key padded out to size • and opad, ipad are specified padding constants • any hash function can be used • eg. MD5, SHA-1, RIPEMD-160, Whirlpool

  40. HMAC Overview

  41. HMAC conti… • Where: • H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) • IV = initial value input to hash function • M = message input to HMAC(including the padding specified in the embedded hash function) • Yi= ithblock of M, 0 ≤ i ≤(L- 1) • L = number of blocks in M • b = number of bits in a block • n = length of hash code produced by embedded hash function • K= secret key recommended length is ≥ n; if key length is greater than b; the key is input to the hash function to produce an n-bit key • K+ = K padded with zeros on the left so that the result is b bits in length • ipad = 00110110 (36 in hexadecimal) repeated b/8 times • opad = 01011100 (5C in hexadecimal) repeated b/8 times PIS Unit 3 Message Auth Sanjay Rawat

  42. HMAC Algorithm • HMAC(K,M) = H[(K+ XOR opad)||H[(K+ipad)||M]] i.e. • Append zeros to the left end of K to create a b-bit string K+. • XOR K+ with ipad to produce the b-bit block Si. • Append M to Si (Ti=M||Si). • Apply H to the stream generated in step 3 (Hi=H(Ti)). • XOR K+ with opad to produce the b-bit block So. • Append the hash result from step 4 to So (Ho=Hi||So). • Apply H to the stream generated in step 6 and output the result. (HMAC=H(Ho)) PIS Unit 3 Message Auth Sanjay Rawat

More Related