1 / 43

Information Security and Management 11. Message Authentication and Hash Functions

Information Security and Management 11. Message Authentication and Hash Functions. Chih-Hung Wang Sep. 2008. Message Authentication. Authentication Requirement Possible attacks on the network Disclosure Traffic analysis Masquerade Content modification Sequence modification

lobo
Download Presentation

Information Security and Management 11. Message Authentication and Hash Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Security and Management11. Message Authentication and Hash Functions Chih-Hung Wang Sep. 2008

  2. Message Authentication • Authentication Requirement • Possible attacks on the network • Disclosure • Traffic analysis • Masquerade • Content modification • Sequence modification • Timing modification • Source repudiation • Destination repudiation

  3. Authentication Functions • Message encryption • The ciphertext of the entire message serves as its authenticator • Message authentication code (MAC) • A public function of the message and a secret key that produces a fix-length value that serves as the authenticator • Hash Function • A public function that maps a message of any length into a fixed-length hash value, which serves as the authenticator

  4. Message Encryption (A) Conventional encryption: confidentiality and authentication

  5. Message Encryption (B) Public-key encryption: confidentiality

  6. Message Encryption (C) Public-key encryption: authentication and signature

  7. Message Encryption (D) Public-key encryption: confidentiality, authentication And signature

  8. Table 11.1 (1)

  9. Table 11.1 (2)

  10. Error Control • Append an error-detecting code (frame check sequence, FCS) or checksum to each message before encryption Internal error control

  11. Error Control External error control An opponent can construct messages with valid error-control codes

  12. Example of TCP Segment The receiver can be assured of the proper sequence because an attacker cannot successfully alter the sequence number

  13. TCP-level Encryption

  14. MAC (1) • The use of a secret key to generate a small fixed-size block of data • That is appended to the message • A MAC function is similar to encryption. One difference is that MAC algorithm need not be reversible • It is less vulnerable to being broken than encryption

  15. MAC (2) • Three situations in which a message authentication code is used • The same message is broadcast to a number of destinations • It is cheaper and more reliable to have only one destination responsible for monitoring authenticity • An exchange: one side has a heavy load and cannot afford the time to decrypt all incoming message. • Message being chosen at random for checking • Authentication of a computer program in plaintext is an attractive service • The computer program can be executed without having to decrypt it every time

  16. MAC (3) • Other rationales • For some applications, it may not be concern to keep message secret, but it is important to authenticate message • SNMPv3:separates the functions of confidentiality and authentication • Separation of authentication and confidentiality functions affords architectural flexibility • Perform authentication at the application level but to provide confidentiality at a lower level • A user may wish to prolong the period of protection beyond the time of reception and yet allow processing the message content

  17. MAC (4) Message authentication

  18. MAC (5) Message authentication and confidentiality; Authentication tied to plaintext

  19. MAC (6) Message authentication and confidentiality; Authentication tied to ciphertext

  20. Basic Uses of MAC (Table 11.2)

  21. MAC Function • A MAC function is similar to encryption. One difference is that the MAC algorithm need not be reversible, as it must for decryption. • In general, the MAC function is a many-to-one function. If an n-bit MAC is used, then there are 2n possible MACs, whereas there are N possible messages with N>>2n.

  22. Requirements for MACs (1)

  23. Requirements for MACs (2) • Taking into account the types of attacks • Need the MAC to satisfy the following: • Knowing a message and MAC, is infeasible to find another message with same MAC • If we assume that the opponent does not know k but does have access to the MAC function and can present messages for MAC generation, then the opponent could try various messages until finding one that matches a given MAC. MACs should be uniformly distributed. A brute-force method would require, on average, 2(n-1) attempts. • The MAC should not be weaker with respect to certain parts or bits of the message than others.

  24. Using Symmetric Ciphers for MACs • Can use any block cipher chaining mode and use final block as a MAC • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC • using IV=0 and zero-pad of final block • encrypt message using DES in CBC mode • and send just the final block as the MAC • or the leftmost M bits (16≤M≤64) of final block • but final MAC is now too small for security

  25. DAC • Data Authentication Code (FIPS PUB 113 and ANSI standard X9.17)

  26. Hash Function • Definition • A hash function accepts a variable-size message M as input and produces a fixed-size hash code H(M) • Sometime called a message digest • Hash Algorithm • MD5 • RFC 1321 developed by Ron Rivist at MIT • Secure Hash Algorithm (SHA) • FIPS PUB 180 in 1993 (NIST) 180-1 in 1995 • FISP: Federal Information Processing Standard

  27. PlaintextM Message Digest Hash value H(M) Hash Function

  28. Requirements of Hash • H can be applied to a block of data of any size • H produces a fixed-length output • H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical • For any given code h, it is computationally infeasible to find x such that H(x)=h. This is sometimes referred to in the literature as the one-way property • For any given block x, it is computationally infeasible to find yx with H(y)=H(x). This is sometimes referred to as weak collision resistance • It is computationally infeasible to find any pair (x,y) such that H(x)=H(y). This is sometimes referred to as strong collision resistance.

  29. m1 H(m1) It is difficult to find m1 and m2 (m1 m2) such that H(m1)=H(m2) m2 H(m2) Requirements of Hash

  30. Basic Use of Hash (A)

  31. Basic Use of Hash (B)

  32. Basic Use of Hash (C)

  33. Security of Hash Functions • For a code of length n • One-way: 2n • Weak collision resistance: 2n • Strong collision resistance: 2n/2

  34. The Famous Hash Functions • MD5 • SHA

  35. SHA-1 Logic • Append padding bits: pad message so its length is 448 mod 512 • Append length: append a 64-bit length value to message • Initialize MD buffer: initialise 5-word (160-bit) buffer (A,B,C,D,E) to (67452301,efcdab89,98badcfe,10325476,c3d2e1f0) • Process message in 512-bit (16-word) blocks: • expand 16 words into 80 words by mixing & shifting • use 4 rounds of 20 bit operations on message block & buffer • add output to input to form new buffer value • Output: output hash value is the final buffer value

  36. SHA-1 Compression Function • Each round has 20 steps which replaces the 5 buffer words thus: (A,B,C,D,E) <-(E+f(t,B,C,D)+S5(A)+Wt+Kt),A,S30(B),C,D) • A,B,C,D,E refer to the 5 words of the buffer • t is the step number, 0 t 79 • f(t,B,C,D) is nonlinear function for round • Wt is derived from the message block • Kt is an additive constant value • Sk is circular left shift by k bits

  37. SHA-1 Compression Function

  38. SHA-1 Compression Function

  39. Function Summarized

  40. 80-word Input Sequence • Wt=S1(Wt-16Wt-14 Wt-8 Wt-3)

  41. Comparison of SHA-1 and MD5 • Brute force attack for SHA-1 is harder (160 vs 128 bits for MD5) • SHA-1 is not vulnerable to any known attacks (compared to MD4/5) ?? • (Speed) SHA-1 is a little slower than MD5 (80 vs 64 steps) • Both designed is simple and compact • SHA-1 uses big endian scheme (MD5 uses little endian scheme)

  42. Revised Secure Hash Standard • NIST have issued a revision FIPS 180-2 and adds 3 additional hash algorithms: SHA-256, SHA-384, SHA-512. • Designed for compatibility with increased security provided by the AES cipher • Structure & detail are similar to SHA-1 and hence analysis should be similar.

  43. Comparison of SHA Properties

More Related