1 / 22

Message Authentication Code Algorithms

Message Authentication Code Algorithms. CSIS 5857: Encoding and Encryption. Digests and Networks. Same hash applied to message by sender and recipient Sender creates digest and sends along with message Recipient creates digest from received message, and compares to received digest

isi
Download Presentation

Message Authentication Code Algorithms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Message Authentication Code Algorithms CSIS 5857: Encoding and Encryption

  2. Digests and Networks • Same hash applied to message by sender and recipient • Sender creates digest and sends along with message • Recipient creates digest from received message, and compares to received digest • If no match, message has been tampered with en route M 

  3. Digests and Networks • Problem: Adversary can easily intercept digest and change it to match new message • Must assume adversary knows hash function we use! M  h(M  )

  4. Message Authentication Codes Using secret key to create digest • Creates MAC as h(M, k) • Without k, Dart can’t substitute M  and then duplicate the h(M , k) that recipient will use to check message integrity • k must be large enough to prevent exhaustive search

  5. Message Authentication Codes • Provides authentication of sender • Only person with correct keyk can produce h(M, k) that matches message M • Also provides nonrepudiation protection • Sender cannot later claim they did not send message unless key stolen compare h(M, k) M h(M, k) “If they match, thensender must have samekey k as I do” M h(M, k) h k

  6. Authentication and Confidentiality • Can also encrypt message with different key • Hash plaintext before encryption • Hash ciphertext after encryption • Allows authentication to take place without decryption(usually much faster) h h h h h h h

  7. Prefix/Postfix MAC • Key = “extra bits” at beginning or end of messageh(M, k) = h(M|k) or h(k| M) • Hash algorithm used must have strong “avalanche effect” • Changing few bits at beginning/end changes most bits of MAC even if rest of message is the same • Better if key “spread out” over message rather than at known fixed location Message

  8. Nested MAC • Hashing applied multiple times • Concatenate key with message:k | M • Run through hash: h(k | M) • Concatenate key again: k |h(k | M) • Run through hash again: MAC = h(k |h(k | M)) • Changes in key have greater avalanche effect on final MAC

  9. Hashed MAC (HMAC) • 2-stage nested MAC • Intermediate result of first hash padded to increase complexity next hash • Different “round keys” generated for each hash • Stage 1: k1 = k ipad • Stage 2: k2 = k opad

  10. Hashed MAC (HMAC) • Stage 1: k1= k ipad • Key k padded out to b bits with extra 0’s • ipad = 00110110 00110110 … repeated to bbits • Stage : k2= k opad • opad = 01011100 01011100 … repeated to bbits • Key idea:ipad and opad differ in half of possible bitsk1and k2will differ very greatly

  11. Chained MAC (CMAC) • “Hashless” MAC • Uses an encryption algorithm (DES, AES, etc.) to generate MAC

  12. Chained MAC (CMAC) • Based on same idea as cipher block chaining • Message broken into N blocks • Each block fed into an encryption algorithm with key • Result XOR’d with next block before encryption to make final MAC depend on all blocks • Compresses result to size of single block (unlike encryption)

  13. Chained MAC (CMAC) • Final stage uses “additional key” • Derived from cipher key but hides relationship to key: • Encrypting all 0’s • Multiplying by x or x2over GF(2n)

  14. Chained MAC (CMAC) • Additional key XOR’d with final block • Crucial to use different key for last XOR • Avoids differential cryptanalysis of 2 messages with same beginning • MAC = leftmost n bits of result

  15. Chained MAC (CMAC) • Advantages: • Can use existing encryption functions • Encryption functions have properties that resist preimage and collision attacks • Ciphertext designed to appear like “random noise” – good approximation of random oracle model • Most exhibit strong avalanche effect – minor change in message gives great change in resulting MAC • Disadvantage: • Encryption algorithms (particularly when chained) can be much slower than hash algorithms

  16. Galois/Counter Mode (GCM) • Confidentiality + Authentication • Data encrypted and then hashed • NIST standard SP 800-38D • Can be run in parallel • Message encrypted in variant of CTR • Ciphertext multiplied with key over G(2128) to generate authenticator tag

  17. Overall GCM Structure • Input: • Secret key K • Single key for both encryption and authentication • Initialization vector IV • Plaintext P • Any additional authenticated data A that will be authenticated but not encrypted • Two functions: • GHASH: keyed hash function • GCTR : CTR mode encryption

  18. GHASH function • Yi = (Yi-1 Xi• Hm ) • Y0 = block of 128 0’s • • designates multiplication in GF(2128 ) • H(X) = (X1• Hm )  (X • Hm–1 )  ... (Xm–1• H2 )  (Xm• H) • Can compute all Hi in advance for maximumspeed

  19. GCTR Encryption • Standard CTR mode used for encryption • Key stream generated • Blocks can be encrypted in parallel • Last block can be less than standard block size

  20. Overall GCM Structure

  21. Overall GCM Structure • Pre-counter block (J0) generated from IV by padding with 0’s if necessary • J0 used as initial value of counter in encryption • Ciphertext appended to authenticated data and length information, padded with 0’s to create data block

  22. Overall GCM Structure • Hash key generated by encrypting a block of all zeros with K • Data block hashed with GHASH • Resulting hash encrypted with GCTR using K and J0 • Final hash tag created from most significant bits of result

More Related