320 likes | 372 Views
Authentication & MD5. Jen-Chang Liu, Fall 2005 Adapted from l ecture slides by Lawrie Brown. Model for Network Security. Type of attacks. disclosure traffic analysis m asquerade 偽裝 content modification sequence modification Insertion, deletion, reordering timing modification
E N D
Authentication & MD5 Jen-Chang Liu, Fall 2005 Adapted from lecture slides by Lawrie Brown
Type of attacks • disclosure • traffic analysis • masquerade偽裝 • content modification • sequence modification • Insertion, deletion, reordering • timing modification • Delay or replay of message • source repudiation • destination repudiation Message confidentiality => ciphers Message authentication =>Message encryption, Message auth. code, Hash function 不可否認發出訊息 Digital signature 不可否認收到訊息
Outline • Message authentication • Message encryption • Message authentication code: MAC=Ck(M), k is a shared secret key, MAC is a fixed-length code • Hash function: h=H(M), h is a fixed-length code • MD5
Message Authentication • message authentication is concerned with: • protecting the integrity of a message • validating identity of originator • non-repudiation of origin (dispute resolution) • Two-level approach • Produce an authenticator: a value to be used to authenticate a message • Authentication protocol 訊息 來源 來源不可否認發出訊息
Message Encryption • The ciphertext of the message serves as its authenticator • symmetric encryption is used: * A is the only party that possesses K * Y=DK(X), How to verify that Y is legitimate plaintext? Source: text file Source: binary file, such as compressed file, …
Symmetric encryption for authentication • Constraint: the plaintext have some well-formed structure • Example 1: frame check sequence (FCS) Error detection code Frame check sequence Hash function
Symmetric encryption for authentication (cont.) • Example 2: TCP header encrypted
Only A has private key, M must be well-formed Public-keyencryption for authentication A B Anyone can access public key – no authentication confidentiality authentication Confidentiality +authentication
Outline • Message authentication • Message encryption • Message authentication code: MAC=Ck(M), k is a shared secret key, MAC is a fixed-length code • Hash function: h=H(M), h is a fixed-length code • MD5
Message Authentication Code (MAC) • MAC is a cryptographic checksumMAC=CK(M) • condenses a variable-length message M • using a secret key K • to a fixed-sized authenticator
Message Authentication Codes (cont.) • why use a MAC instead of message encryption? • Sometimes only authentication is needed • Ex. Broadcast of shut down message, check MAC is cheaper • Ex. The receiver side cannot afford time to decrypt • Ex. Authentication of a program in plaintext • Separation of authentication and confidentiality • Sometimes need authentication to persist longer than the encryption (eg. archival use) • note that a MAC is not a digital signature • Both sender and receiver share the same key
Using Symmetric Ciphers for MACs • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC • using IV=0 and zero-pad of final block • encrypt message using DES in CBC mode • and send just the final block as the MAC • or the leftmost M bits (16≤M≤64) of final block IV=0 + Cipher block chaining
Outline • Message authentication • Message encryption • Message authentication code: MAC=Ck(M), k is a shared secret key, MAC is a fixed-length code • Hash function: h=H(M), h is a fixed-length code • MD5
Hash Functions • Hash function: h=H(M), h is a fixed-length code • Also called as message digest or hash value • usually assume that the hash function is public and not keyed. cf. MAC which is keyed • hashis used to detect changes to message • can use in various ways with message, most often to create a digital signature
Hash functions & symmetric encryption Hash code provide a structure for the message In fact, a MAC code
Hash functions & public-key encryptions User B User A In fact, a digital signature confidentiality
Hash functions & a shared secret value S Advantage: no encryption is necessary confidentiality
Requirements for Hash Functions • is easy to compute h=H(M) for any message M • can be applied to any sized message M • produces fixed-length output h • given h is infeasible to find x s.t. H(x)=h • one-way property • Important if a secret value is hashed. h = H(M || S) • given x is infeasible to find y s.t. H(y)=H(x) • weak collision resistance • Prevent forgery • is infeasible to find any x,y s.t. H(y)=H(x) • strong collision resistance
Simple Hash Functions • based on XOR of message blocks XOR * Too simple to fit the security requirements
Hash Algorithms • see similarities in the evolution of hash functions & block ciphers • increasing power of brute-force attacks • leading to evolution in algorithms • from DES to AES in block ciphers • from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash algorithms • likewise tend to use common iterative structure as do block ciphers
MD5 (Message Digest) • designed by Ronald Rivest (the R in RSA) • latest in a series of MD2, MD4 • produces a 128-bit hash value • until recently was the most widely used hash algorithm • in recent times have both brute-force & cryptanalytic concerns • specified as Internet standard RFC1321
MD5 Overview • pad message so its length is 448 mod 512 • append a 64-bit length value to message • initialise 4-word (128-bit) MD buffer (A,B,C,D) • process message in 16-word (512-bit) blocks: • using 4 rounds of 16-step operations on message block & buffer • add output to buffer input to form new buffer value • output hash value is the final buffer value
T[i]=232 abs(sin(i)) [32 bits or 1 word]
MD5 Compression Function (1 step) 32 bits 32 bits 32 bits 32 bits 32 bits from 512-bits block Random 32 bits Circular left shift
Round functions * Bitwise logical operations
Strength of MD5 • MD5 hash is dependent on all message bits • Rivest claims security is good as can be • Case 1: find M1 and M2 • Case 2: find a message with given MD M1 128-bit MD 128-bit MD M2 264 operations 2128 operations
Strength of MD5 (cont.) • known attacks are: • Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend) • Boer & Bosselaers 93 found a pseudo collision (different ABCD buffers, same output) in single block (again unable to extend) • Dobbertin 96 created collisions(different 512-bit blocks, same output) in single block (but initial constants prevent exploit) • conclusion is that MD5 looks vulnerable soon