Post on 13-Nov-2014
description
Prof. Chintan Patel Information Security
CE Department. Unit - 5
MEFGI , RAJKOT
• Authentication Requirements
• Authentication Functions
• Message Authentication Code
• Hash Function
• Security of Hash function and MACs
BOOK: Cryptography and N/W security by William stalling, 4th Edition.
Chapter : 11, Message Authentication and Hash Function
• Recall that the most important services of a cryptosystem are
• Confidentiality : Eve does not get information about the message.
• Data integrity : Eve cannot alter the message.
• Authentication : Bob knows for sure that the message comes from Alice .
• Non-repudiation : Bob can prove to a third party that the message comes from Alice.
• So far we have looked at Confidentiality……Now let us see for other services….
• Message authentication is concerned with:
protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)
• will consider the security requirements
• then three alternative functions used:
message encryption
message authentication code (MAC)
hash function
• Kind of attacks (threats) in the context of communications across a network1. Disclosure2. Traffic analysis3. Masquerade4. Content modification5. Sequence modification6. Timing modification7. Repudiation
• Measures to deal with first two attacks: In the realm of message confidentiality, and are addressed with
encryption
• Measures to deal with items 3 thru 6 Message authentication
• Measures to deal with items 7 Digital signature
• Message authentication
A procedure to verify that messages come from the alleged source and have not been altered
Message authentication may also verify sequencing and timeliness
• Digital signature
An authentication technique that also includes measures to counter repudiation by either source or destination
• Message authentication or digital signature mechanism can be viewed as having two levels
At lower level: there must be some sort of functions producing an authenticator – a value to be used to authenticate a message
This lower level functions is used as primitive in a higher level authentication protocol
• Three classes of functions that may be used to produce an authenticator Message encryption Cipher text itself serves as authenticator
Message authentication code (MAC) A public function that takes variable length message and
a secret key as input and produces an authentication code or value that serves as the authenticator
Hash function A public function that maps a message of any length into
a fixed-length hash value or message digest, which serves as the authenticator
• Conventional encryption can serve as authenticator
Conventional encryption provides authentication as well as confidentiality
Requires recognizable plaintext or other structure to distinguish between well-formed legitimate plaintext and meaningless random bits
e.g., ASCII text, an appended checksum, or use of layered protocols
Ways of Providing Structure
• Append an error-detecting code (frame check sequence (FCS)) to each message
Ways of Providing Structure - 2
• Suppose all the datagrams except the IP header is encrypted.
• If an opponent substituted some arbitrary bit pattern for the encrypted TCP segment, the resulting plaintext would not include a meaningful header
Confidentiality and Authentication Implications of Message Encryption
• Uses a shared secret key to generate a fixed-size block of data (known as a cryptographic checksum or MAC) that is appended to the message
• MAC = CK(M)
• Assurances:
Message has not been altered
Message is from alleged sender
Message sequence is unaltered (requires internal sequencing)
• Similar to encryption but MAC algorithm needs not be reversible
Basic Uses of MAC
Basic Uses of MAC
i.e., why not just use encryption?
• Cleartext stays clear
• MAC might be cheaper
• Broadcast
• Authentication of executable codes
• Architectural flexibility
• Separation of authentication check from message use
“ Converts a variable size message M into
fixed size hash code H(M) (Sometimes
called a message digest) “
• usually assume that the hash function is public and not keyed
cf. MAC which is keyed
• hash used to detect changes to message
• can use in various ways with message
• most often to create a digital signature
• Can be used with encryption for authentication
E(M || H)
M || E(H)
M || signed H
E( M || signed H ) gives confidentiality
M || H( M || K )
E( M || H( M || K ) )
Basic Uses of Hash Function
Basic Uses of Hash Function
• h = H(M)
• M is a variable-length message, h is a fixed-length hash value, H is a hash function
• The hash value is appended at the source
• The receiver authenticates the message by recomputing the hash value
• Because the hash function itself is not considered to be secret, some means is required to protect the hash value
1. H can be applied to any size data block
2. H produces fixed-length output
3. H(x) is relatively easy to compute for any given x
4. H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x)
5. H is weakly collision resistant: given x, it is computationally infeasible to find any y x s.t. H(x) = H(y)
6. H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y)
• One-way property is essential for authentication
• Weak collision resistance is necessary to prevent forgery
• Strong collision resistance is important for resistance to birthday attack
• Operation of hash functions
The input is viewed as a sequence of n-bit blocks
The input is processed one block at a time in an iterative fashion to produce an n-bit hash function
• Simplest hash function: Bitwise XOR of every block
Ci = bi1 bi2 … bim
Ci = i-th bit of the hash code, 1 i n
m = number of n-bit blocks in the input
bij = i-th bit in j-th block
Known as longitudinal redundancy check
• Improvement over the simplebitwise XOR– Initially set the n-bit hash value to zero
– Process each successive n-bit block of data as follows
» Rotate the current hash value to the left by one bit
» XOR the block into the hash value
• If the adversary can generate 2m/2 variants of a valid message and an equal number of fraudulent messages
• The two sets are compared to find one message from each set with a common hash value
• The valid message is offered for signature
• The fraudulent message with the same hash value is inserted in its place
• If a 64-bit hash code is used, the level of effort is only on the order of 232
• Conclusion: the length of the hash code must be substantial
Generating 2m/2 Variants of Valid Messages
• Insert a number of“space-backspace-space”character pairs betweenwords throughout the document. Variations could then be generated by substituting “space-backspace-space”in selected instances
• Alternatively, simplyreword the message butretain the meaning
• Three desirable properties of hash functions
One-way: For any given code h, it is computationally infeasible to find x s.t. H(x) = h
Weak collision resistance: For any given block x, it is computationally infeasible to find y x s.t. H(y) = H(x)
Strong collision resistance: It is computationally infeasible to find any pair (x, y) s.t. H(y) = H(x)
• like block ciphers have:
• brute-force attacks exploiting
strong collision resistance hash have cost 2m/2
have proposal for h/w MD5 cracker
128-bit hash looks vulnerable, 160-bits better
MACs with known message-MAC pairs
can either attack keyspace (cf key search) or MAC
at least 128-bit MAC is needed for security
• Introduction
• MD5 Algorithm Structure
• Implementation Steps
• MD5 vs. MD4
• MD5 algorithm was developed by Professor Ronald L.Rivest in 1991.
• According to RFC 1321, “MD5 message-digest algorithmtakes as input a message of arbitrary length andproduces as output a 128-bit "fingerprint" or"message digest" of the input.
• The MD5 algorithm is intended for digital signatureapplications, where a large file must be "compressed" ina secure manner before being encrypted with a private(secret) key under a public-key cryptosystem such asRSA.”
• Step1 : Append padding bits
• The input message is "padded" (extended) so that itslength (in bits) equals to 448 mod 512. Padding is alwaysperformed, even if the length of the message is already448 mod 512.
•
Padding is performed as follows: a single "1" bit isappended to the message, and then "0" bits areappended so that the length in bits of the paddedmessage becomes congruent to 448 mod 512. At leastone bit and at most 512 bits are appended.
• Step2 : Append length
• A 64-bit representation of the length of the messageis appended to the result of step1. If the length of themessage is greater than 2^64, only the low-order 64 bitswill be used.
The resulting message (after padding with bits andwith b) has a length that is an exact multiple of 512bits. The input message will have a length that is an exactmultiple of 16 (32-bit) words.
• Step3. Initialize MD buffer
A four-word buffer (A, B, C, D) is used to compute the message digest. Each of A, B, C, D is a 32-bit register. These registers are initialized to the following values in hexadecimal, low-order bytes first):
word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10
• Step4 : Process message in 16-word blocks
Four functions will be defined such that each function takes an input of three 32-bit words and produces a 32-bit word output.
F (X, Y, Z) = XY or not (X) Z G (X, Y, Z) = XZ or Y not (Z) H (X, Y, Z) = X xor Y xor Z I (X, Y, Z) = Y xor (X or not (Z))
• Step 4 – Process message in 16-word blocks cont.
• if the bits of X, Y, and Z are independent andunbiased, the each bit of F(X,Y,Z), G(X,Y,Z),H(X,Y,Z), and I(X,Y,Z) will be independent andunbiased.
• • Step 5 – output
• The message digest produced as output is A, B, C, D.
• That is, output begins with the low-order byte of A, andend with the high-order byte of D.
• One MD5 operation. MD5 consists of 64 of theseoperations, grouped in four rounds of 16operations.
• F is a nonlinear function; one function is used ineach round. Mi denotes a 32- bit block of themessage input, and Ki denotes a 32-bit constant,different for each operation.
Round 1.
[abcd k s i] denote the operation a = b + ((a + F (b, c, d) + X [k] + T [i]) <<< s).
Do the following 16 operations.
[ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4]
[ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8]
[ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12]
[ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]
• Comparing to other digest algorithms, MD5 is simple to implement, and provides a "fingerprint" or message digest of a message of arbitrary length.
• It performs very fast on 32-bit machine.
• MD5 is being used heavily from large corporations, such as IBM, Cisco Systems, to individual programmers.
• MD5 is considered one of the most efficient algorithms currently available.
Authentication Requirements:
• Masquerade – Insertion of message from fraudulent source
• Content Modification – Changing content of message
• Sequence Modification – Insertion, deletion and reordering sequence
• Timing Modification – Replaying valid sessions
• Message Digest or “Fingerprint”
→ Compressed Representation
→ Easy to generate for a given file.
• Computationally infeasible to produce two messages with same message digest
• Impossible to recreate a message given a message digest.
• Data Integrity and Comparison Checking
→ Message Integrity Validation
• Public Key Algorithms– Password Logins
– Encryption Key Management
– Digital Signatures
• Integrity Checking– Virus and Malware Scanning
• Authentication– Secure Web Connections
• (PGP, SSL, SSH, S/MIME)
SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1
US standard for use with DSA signature scheme
standard is 180-1 1995, also Internet RFC3174
the algorithm is SHA, the standard is SHS
based on design of MD5 with key differences
produces 160-bit hash values
recent 2005 results on security of SHA-1 have raised concerns on its use in future applications
SHA-1 SHA-224 SHA-256 SHA-384 SHA-512
Message digest size 160 224 256 384 512
Message size <264 < 264 < 264 < 2128 < 2128
Block size 512 512 512 1024 1024
Word size 32 32 32 64 64
Number of steps 80 64 64 80 80
Step 1: Append Padding Bits….
Message is “padded” with a 1 and as many 0’s as necessary to bring the message length to 64 bits fewer than an even multiple of 512.
Step 2: Append Length....
64 bits are appended to the end of the padded message. These bits hold the binary format of 64 bits indicating the length of the original message.
Step 3: Prepare Processing Functions….
SHA1 requires 80 processing functions defined as:f(t;B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19) f(t;B,C,D) = B XOR C XOR D (20 <= t <= 39)f(t;B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <=59)f(t;B,C,D) = B XOR C XOR D (60 <= t <= 79)
Step 4: Prepare Processing Constants....
SHA1 requires 80 processing constant words defined as:
K(t) = 0x5A827999 ( 0 <= t <= 19)
K(t) = 0x6ED9EBA1 (20 <= t <= 39) K(t) = 0x8F1BBCDC (40 <= t <= 59) K(t) = 0xCA62C1D6 (60 <= t <= 79)
Step 5: Initialize Buffers….
SHA1 requires 160 bits or 5 buffers of words (32 bits):
H0 = 0x67452301
H1 = 0xEFCDAB89
H2 = 0x98BADCFE
H3 = 0x10325476
H4 = 0xC3D2E1F0
Step 6: Processing Message in 512-bit blocks (L blocks in total message)….
This is the main task of SHA1 algorithm which loops through the padded and appended message in 512-bit blocks.
Input and predefined functions:
M[1, 2, ..., L]: Blocks of the padded and appended message f(0;B,C,D), f(1,B,C,D), ..., f(79,B,C,D): 80 Processing Functions K(0),
K(1), ..., K(79): 80 Processing Constant Words
H0, H1, H2, H3, H4, H5: 5 Word buffers with initial values
Step 6: Pseudo Code…. For loop on k = 1 to L
(W(0),W(1),...,W(15)) = M[k] /* Divide M[k] into 16 words */For t = 16 to 79 do:
W(t) = (W(t-3) XOR W(t-8) XOR W(t-14) XOR W(t-16)) <<< 1 A = H0, B = H1, C = H2, D = H3, E = H4 For t = 0 to 79 do:
TEMP = A<<<5 + f(t;B,C,D) + E + W(t) + K(t) E = D, D = C, C = B<<<30, B = A, A = TEMP
End of for loop H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4 + E
End of for loop
Output: H0, H1, H2, H3, H4, H5: Word buffers with final message digest
• a = 6A09E667F3BCC908
• b = BB67AE8584CAA73B
• c = 3C6EF372FE94F82B
• d = A54FF53A5F1D36F1
• e = 510E527FADE682D1
• f = 9B05688C2B3E6C1F
• g = 1F83D9ABFB41BD6B
• h = 5BE0CDI9137E2179
• HMAC stands for Hash-based Message Authentication Code
• It used to verify data integrity and authenticity of a message
• It uses current cryptographic hash functions with a secret key (SHA or MD5)
The name of the function changes depending on what hash function you use
MD5 would result to HMAC-MD5
SHA# would result to HMAC-SHA#
• The strength of HMAC relies on the strength of the HASH used and the Quality of the key
• The outputted size is the same as the hash function
128-bit or 160-bit with SHA-1 or MD5
• Some terms to help out with the next slide: H = hash function
K = key
M = message
|| = concatenation
XOR = XOR
o_key_pad = outer padding (one block long 0x36)
i_key_pad = inner padding (one block long 0x5c)
• In short:
HMAC(k,m) = H((k XOR o_key_pad) || H((k XOR i_key_pad) || m))
Function hmac (k, m)if(length(k) > blocksize) then
k = hash(k)endifif (length(k) < blocksize) then
k = k || (0x00 * (blocksize – length(k)))endifo_key_pad = (0x5c * blocksize) XOR ki_key_pad = (0x36 * blocksize) XOR kreturn hash(o_key_pad || hash(i_key_pad || m))
End Function
• Using MD5 as the hashing function in HMAC does not seem to compromise the function in regards to the MD5 weaknesses.
• Although SHA is much stronger, MD5 is best for performance if it is needed.
• The most common attack against HMAC is brute force to get the secret key.
• HMAC is substantially less affected by collisions than the hashing functions by itself.
• A key can be of any length
However it is discouraged to be less than the length of the byte-length of the hash outputs
(16 for MD5, and 20 for SHA)
• Keys need to be chosen at random
Long key length may be advisable if the randomness of the key is weak
• Use a cryptographically strong pseudo-random generated with a random seed that is refreshed
This is generally a good security practice, and will limit the damage to keys and functions
Thank You
and
Have a Nice Day !