DI-FCT-UNL Computer and Network Systems Security...

© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 1

2. Cryptography

2.2 Message Authentication and Secure Hash Functions

DI-FCT-UNL Computer and Network Systems Security Segurança de Sistemas e Redes de Computadores 2010-2011


Outline

•  Message Authentication and Secure Hash Functions –  Message authentication codes (MACs) –  Integrity, confidentiality and MACs –  MAC schemes with conventional encryption

•  CMACs and Public-Key based Message Authentication –  Secure Hash Functions –  HMACs


Outline




Message Authentication •  message authentication: proof of origin, confirming

the sender (identity of originator) –  protecting (implicitly) the message integrity

•  Contents have not been altered (tampering detection) •  Proof that, it was sent at a certain time or sequence

(message replay detection or non-sequence detection)

–  validating identity of originator •  Message came certainly from apparent correct

principal (source or author) –  non-repudiation of origin (dispute resolution)

•  In some cases… message authentication is arguably more important than secrecy (ex., E-Commerce)


Outline




MAC or Message Authentication Code •  Generated by an

algorithm that creates: •  a (usually small)

fixed-sized block, depending on both message and some key (Keyed Mac notion)

•  like encryption though need not be reversible

- A MAC is appended to message as a “message signature” - Receiver performs same computation on message and checks it

matches the MAC - Provides assurance that message is unaltered and comes from a

correct sender (correct origin)

Vari

able

siz

e

Vari

able

siz

e

Fixed size


Message Authentication Codes •  As shown the MAC provides authentication and

implicit integrity (but no confidentiality)

•  Why use a MAC with no confidentiality or no integrity warranties? –  sometimes only authentication is needed –  sometimes need authentication and integrity to persist

longer than the encryption (eg. archival use) (Weak integrity checking may be supported with other schemes (MICs, other checksum functions)

•  Can use encryption for secrecy (combining authentication + integrity + confidentiality) –  generally use separate keys for each –  can compute MAC either before or after encryption –  is generally regarded as better done before –  … But must consider also balance requirements for

authentication, confidentiality, integrity vs. DoS


Example •  A protected record-layer message transport

protocol for secure communication sessions Ex., in SSL (or TLS): Protocolo do nível aplicação


Example of a Record-Layer Protocol •  RLM = H || { Pp(M) || MAC }Ks

Ex: RLP in SSL or TLS

Transport Layer


MAC Properties •  a MAC works as a cryptographic secure checksum

MAC = CK(M) or MACK(M) or MAC(K, M)

•  Note that a MAC is not a digital signature (authentication of principals) in the sense of digital signatures for principals –  A MAC requires shared keys –  Used like “fast or light-weight message signature

scheme” based on a NDA of the KEY. Why ?

•  is it a “many-to-one” function ? –  potentially many messages have same MAC

•  Not warranted collision free –  but finding these needs to be very difficult

•  With appropriate security properties of MAC cryptographic functions. Which properties ?


Security properties of MACs •  Irreversibility

If Y = MAC (X1) it is not possible to find X1 knowing Y

•  Collision resistance: knowing a message and MAC, is infeasible to find another message with same MAC

–  Weak collision resistance Given Y=MAC (X1) and X1 : no other X2 with Y=MAC(X2)

–  Strong collision resistance Given a value y, it is not possible to find any Z1 and Z2, in a way that MAC (Z1) = MAC (Z2) = Y

•  Uniform distribution –  MACs should be uniformly distributed, independently

of the message input –  MAC should depend equally on all bits of the message


Examples (typical uses) •  Ex. 1: Header | {M, TS, NS, … }k1 | MACK2 (M, TS, NS, …)

•  Ex. 2: Header | {M, TS, SN, … , MACKS (M, TS, SN, …) }ks

•  Ex. 3: Content-Type | M version | m version | Compressed length |

{ compress [ M, TS, SN,… MACKm (M, TS, N,…) ] } KS

•  Ex. 4: (DoS minimization tradeoff) Content-Type | M version | m version | Compressed length |

{ compress [M,TS,SN, …] }KS | MACKm (M,TS,NS, …)

> Note: you must take in account other issues for security assumptions: Block modes of operation, key-distribution, attacks to weaknesses of MAC properties


Outline




Approaches to Message Authentication •  Message Authentication Codes (MACs)

–  “Keyed MACs”: Calculate the MAC as a function of the message and the key. MAC = F(K, M)

–  “Non keyed MACs”: the MAC as a function of the message only. MAC=F(M)

–  Message Authentication using Encryption •  CMACs: with symmetric encryption - only the sender

and receiver should share a key (used in a “non-disclosure key agreement basis”)

•  with asymmetric encryption – equivalent to pubic-key digital signatures

–  Message Authentication without Message Encryption •  An authentication tag (MAC tag) is generated and

appended to each message •  In general with secure hash-functions – no need of

additional keys)


Message Authentication with Encryption •  Message encryption using conventional encryption

(or symmetric methods) by itself also provides a measure of authentication

•  If symmetric encryption is used then: –  receiver know sender must have created it,

since only sender and receiver know key used •  Shared secret key, used with non-disclosure mutual

agreement –  know content cannot of been altered or

tampered, if message has suitable structure, redundancy with MICs or checksum to detect any changes


CMAC based schemes •  Can use any block cipher chaining mode and use

final block as a MAC

•  Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC (scheme known as CMAC with DES) –  using IV=0 and zero-pad of final block –  encrypt message using DES in CBC mode –  and send just the final block as the MAC

•  or the leftmost M bits (16≤M≤64) of final block


Data Authentication Algorithm

FIPS PUB 113 / ANSI X.917 MAC (with DES-CBC) … final MAC is today too small for security In general, is possible to use CMACs with other symmetric algorithms to have more strong CMACs


CMAC (NIST improvement 800-38B)

•  previously saw the DAA (CBC-MAC), widely used in govt & industry –  but has message size limitation (DES and DES blocks) –  AdHos practices with other algorithms

•  NIST standardization •  can overcome using 2 keys & padding, thus forming

the Cipher-based Message Authentication Code (CMAC)

•  adopted by NIST SP800-38B for use with AES and Triple DES


CMAC Overview AES: K: 128/192/256 bits 3DES: K: 112/168 bits

K1, K2 Derived from K {0}K and GK(2^n) multiplication

With no padding

With padding


Message Authentication with Encryption •  Message encryption with public-key cryptography

(asymmetric methods) also provides a measure of authentication

•  If public-key encryption is used: –  Encryption provides no confidence of sender (encrypting

with the public-key), since anyone potentially knows public-key

–  However if •  sender signs message using their private-key

–  (principle of public key signatres) •  then encrypts with recipients public key •  have both secrecy and authentication

{ {M}KprivSender }KpubDest –  Again need to recognize corrupted messages –  But at cost of two public-key uses on message


One-way HASH function •  Secret value is added before the hash and removed

before transmission. •  Compared with the other schemes: balance between

performance and security –  Reference: Secure Hash-Functions faster than symmetric

methods faster than public-key cryptoi (in general)


Outline




Hash Functions •  Condenses arbitrary message to fixed size

h = H(M) : hash code or message digest

•  Usually assume that the hash function is public and not keyed –  cf. MAC which is keyed

•  Hash is used to detect changes to message –  Message tampering detection

•  Can use in various ways with message •  Most often to create a “fast or light-weight

digital signature”

Secure Hash

Function M

(variable size) H

(fixed size)


Secure HASH Functions

Purpose of the HASH function is to produce a ”fingerprint” (hash value), with the following properties:

1.  H can be applied to a block of data at any size 2.  H produces a fixed length output 3.  H(x) is easy to compute for any given x. 4.  Irreversibility: for any given block x, it is

computationally infeasible to find x such that H(x) = h 5.  Weak collision resistance: for any given block x, it is

computationally infeasible to find with H(y) = H(x). 6.  Strong collision resistance: it is computationally

infeasible to find any pair (x, y) , such that H(x) = H(y)

7.  Uniform distribution


Birthday Attacks •  might think a 64-bit hash is secure ? 128 is better ? •  … Think on it by the Birthday Paradox

–  The chance that in a group of people two will share the same birthday: with 23 persons, p > 0.5

–  Generalization: matching pair from any two sets: 2m/2 in each set to get a matching m-bit hash

•  birthday attack works thus: –  opponent generates 2m/2 variations of a valid message all

with essentially the same meaning

–  opponent also generates 2m/2 variations of a desired fraudulent message (to get a matching m-bit hash)

–  two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox)

–  have user sign the valid message, then substitute the forgery which will have a valid signatures

•  conclusion is that need to use larger MAC/hash


Simple Hash Function (LRC MIC) Longitudinal redundancy check

•  Ci = Bi1 xor Bi2 xor ….. xor Bim for 1 <= i <= n

•  Good (acceptable) as a MIC ? probability of an error will result in an unchanged hash value is 1/2^n

•  Is it secure ? Ex., Predictable input as text with 128 bit hash, reduces P to 1/2^112

•  How can we do better ? Need to provoke an effect of randomizing the input more completely and overcoming any regularities


2^37 variations of a letter

[Dav 89]


Simple Hash Function approach

•  Ex., one-bit circular shift on the hash value after each block is processed would improve

Use of RXOR (Rotated XOR)

•  Is it secure ? Useful for encrypted messages ?


The hash is the same if you permute the cipher text blocks (non collision resistance) !!!

We must be careful [Jueneman, Matyas and Meyer, Message Authentication, IEEE Communications, Sep 1988]

Ex., Operation with CBC mode •  M = set of words of (ex., 64 bits): X1, X2, ... Xn with some

standard (known) padding •  H(M) = Xn+1 = X1 xor X2 xor X3, .... Xn-1 xor Xn •  C = E (k, (M || H(M) ) , using CBC •  C = Y1, Y2, Y3, .... Yn

From the CBC mode we know that: X1 = IV xor D (k, Y1), Xi = Yi-1 xor D (k, Yi) H(M) = Xn+1 = Yn xor D (k, Yn+1) = X1 xor X2 xor .... xor Xn = [IV xor D(k, Y1)] xor [Y1 xor D(k, H2)] xor .... xor [Yn-1 xor D(k, Yn) ]

Problem ?

So we need SECURE HASH FUNCTIONS


Block Ciphers as Hash Functions •  Without secret keys: instead using the message

blocks as “keys” •  can use block ciphers as hash functions

–  using H0=0 and zero-pad of final block –  compute: Hi = EMi [Hi-1] –  and use final block as the hash value –  similar to CBC but without a key

•  Problems ? •  resulting hash is too small (ex., 64-bit using DES)

–  both due to direct birthday attack –  and to “meet-in-the-middle” attack

•  other variants also susceptible to attack


Hash Functions & MAC Security •  like block ciphers have: •  brute-force attacks exploiting

–  strong collision resistance hash have cost with complexity O(2m/2) •  have proposal for h/w MD5 cracker (see the

book) •  128-bit hash looks vulnerable, 160-bits

better –  MACs with known message-MAC pairs

•  can either attack keyspace (cf key search) or MAC

•  Cost is this case O (min 2^k, 2^n) which is similar to symmetric encryption algorithms

•  at least 128-bit MAC is needed for security


Hash Functions & MAC Security •  cryptanalytic attacks exploit structure

–  like block ciphers want brute-force attacks to be the best alternative

•  have a number of analytic attacks on iterated hash functions –  CVi = f[CVi-1, Mi]; H(M)=CVN –  typically focus on collisions in function f –  like block ciphers is often composed of rounds –  attacks exploit properties of round functions


Outline


•  CMACs and Public-Key based Message Authentication –  Secure Hash Functions

•  MD5, Ripem, SHA and SHA-1 •  SHA256, SHA384, SHA512 •  Digest lengths, base processing blocks, iteration rounds,

maximum input message –  HMACs


Secure Hash Functions


Hash Algorithm Structure

Most important modern hash functions follow this structure


Other Secure HASH functions

SHA-1 MD5 RIPEMD-160

Digest length 160 bits 128 bits 160 bits

Basic unit of processing

512 bits 512 bits 512 bits

Number of steps 80 (4 rounds of 20)

64 (4 rounds of 16)

160 (5 paired rounds of 16)

Maximum message size

264-1 bits


SHA - Secure Hash Algorithm •  SHA (NIST FIPS 180) originally designed by

NIST & NSA in 1993 –  was revised in 1995 as SHA-1 (FIPS PUB 180-1)

•  US standard for use with DSA signature scheme –  standard is FIPS 180-1 1995, also Internet

RFC3174 –  nb. the algorithm is SHA, the standard is SHS

•  based on design of MD4 with key differences •  produces 160-bit hash values •  recent 2005 results on security of SHA-1 have

raised concerns on its use in future applications –  Attack in which twe separate messaded could be found

that deliver the same Hash SHA-1 with 2^69 opeations, far fewer than 2^80 operations – previously thought needed to find a collision


Message Digest Generation Using SHA-1


SHA-1 Processing of single 512-Bit Block


SHA-1 – is it weak ? •  produces 160-bit hash values

–  Strong collision resistance: = O (2^80) •  recent 2005 results on security of SHA-1 have

raised concerns on its use in future applications –  Attack in which two separate messages could be found

that deliver the same Hash SHA-1 with 2^69 operations, far fewer than 2^80 operations – previously thought needed to find a collision


Revised Secure Hash Standard •  NIST issued revision FIPS 180-2 in 2002 •  adds 3 additional versions of SHA

–  SHA-256, SHA-384, SHA-512 •  designed for compatibility with increased security provided

by the AES cipher •  structure & detail is similar to SHA-1 •  hence analysis should be similar •  but security levels are rather higher


SHA-512 Overview


SHA-512 Compression Function •  Processing message in 1024-bit blocks

–  See last slide •  F(): heart of the algorithm

–  consists of 80 rounds •  updating a 512-bit buffer •  using a 64-bit value Wt derived from the

current message block •  and a round constant based on cube root of

first 80 prime numbers


SHA-512 Round Function


SHA-3

•  SHA-1 not yet ”broken” –  but similar to broken MD5 & SHA-0 –  so considered insecure

•  SHA-2 (esp. SHA-512) seems secure –  shares same structure and mathematical

operations as predecessors … so have concern

•  NIST announced in 2007 a competition for the SHA-3 next gen NIST hash function –  goal to have in place by 2012 but not fixed


SHA-3 Requirements

•  It must replace SHA-2 with SHA-3 in any use –  so use same hash sizes

•  Preserve the online nature of SHA-2 –  so must process small blocks (512 / 1024 bits)

•  Evaluation criteria –  Security close to theoretical max for hash sizes –  Cost in time & memory –  Characteristics: such as flexibility & simplicity


Outline




HMAC (as in RFC 2104)

•  It was born from the idea of a “keyed hash” •  Specified as Internet standard RFC2104

•  uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]

•  where K+ is the key padded out to size •  and opad, ipad are specified padding constants •  overhead is just 3 more hash calculations than the

message needs alone •  any hash function can be used

–  eg. MD5, SHA-1, RIPEMD-160, Whirlpool


HMAC Structure Use a MAC derived from a cryptographic hash code, such as SHA-1.

Motivations: •  Cryptographic hash functions executes faster in software than encryption algorithms such as DES

•  Library code for cryptographic hash functions is widely available

•  No export restrictions from the US


HMAC Security vs. Speed •  proved security of HMAC relates to that of the underlying

hash algorithm •  attacking HMAC requires either:

–  brute force attack on key used –  birthday attack (but since keyed would need to observe a

very large number of messages) •  choose hash function used based on speed verses security

constraints

•  HMAC as a “fast (or light-weight) signatures” (comparing with CMACs or PubKey Signatures)


Remember: performance of algorithms

Comparisons in Java (standard JDK and Sun Crypto-Provider) http://www.javamex.com/tutorials/cryptography/ciphers.shtml http://www.javamex.com/tutorials/cryptography/hash_functions_algorithms.shtml

See also: Openssl speed benchmark (speed test library performance) http://wikis.sun.com/display/CryptoPerf/UltraSPARC+cryptographic+performance


Suggested Readings

•  W. Stallings, Network Security Essentials, Chap 3., section 3.1, 3.2

•  More complete: W. Stallings, Cryptography and Network Security – Principles and Practices, 4th Edition, Pearson – Prentice Hall, Chap. 11 and 12


Complementary topics (of interest) •  Secure Hash Algorithms and Internal Structure:

–  Whirlpool –  SHA-512

DI-FCT-UNL Computer and Network Systems Security...

Documents

Transcript of DI-FCT-UNL Computer and Network Systems Security...