Information Security and Management 11. Message Authentication and Hash Functions
description
Transcript of Information Security and Management 11. Message Authentication and Hash Functions
![Page 1: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/1.jpg)
1
Information Security and Management
11. Message Authentication and Hash Functions
Chih-Hung Wang
Sep. 2008
![Page 2: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/2.jpg)
2
Message Authentication
Authentication Requirement Possible attacks on the network
DisclosureTraffic analysisMasqueradeContent modificationSequence modificationTiming modificationSource repudiationDestination repudiation
![Page 3: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/3.jpg)
3
Authentication Functions
Message encryption The ciphertext of the entire message serves as its
authenticator Message authentication code (MAC)
A public function of the message and a secret key that produces a fix-length value that serves as the authenticator
Hash Function A public function that maps a message of any length into a
fixed-length hash value, which serves as the authenticator
![Page 4: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/4.jpg)
4
Message Encryption
Conventional encryption: confidentiality and authentication
(A)
![Page 5: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/5.jpg)
5
Message Encryption
(B)
Public-key encryption: confidentiality
![Page 6: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/6.jpg)
6
Message Encryption
(C)
Public-key encryption: authentication and signature
![Page 7: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/7.jpg)
7
Message Encryption
(D)
Public-key encryption: confidentiality, authenticationAnd signature
![Page 8: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/8.jpg)
8
Table 11.1 (1)
![Page 9: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/9.jpg)
9
Table 11.1 (2)
![Page 10: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/10.jpg)
10
Error Control
Append an error-detecting code (frame check sequence, FCS) or checksum to each message before encryption
Internal error control
![Page 11: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/11.jpg)
11
Error Control
External error control
An opponent can construct messages with valid error-control codes
![Page 12: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/12.jpg)
12
Example of TCP SegmentThe receiver can be assured of the proper sequencebecause an attacker cannot successfully alter thesequence number
![Page 13: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/13.jpg)
13
TCP-level Encryption
![Page 14: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/14.jpg)
14
MAC (1)
The use of a secret key to generate a small fixed-size block of data
That is appended to the message A MAC function is similar to encryption. One
difference is that MAC algorithm need not be reversible
It is less vulnerable to being broken than encryption
![Page 15: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/15.jpg)
15
MAC (2)
Three situations in which a message authentication code is used The same message is broadcast to a number of destinations
It is cheaper and more reliable to have only one destination responsible for monitoring authenticity
An exchange: one side has a heavy load and cannot afford the time to decrypt all incoming message.
Message being chosen at random for checking Authentication of a computer program in plaintext is an
attractive service The computer program can be executed without having to
decrypt it every time
![Page 16: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/16.jpg)
16
MAC (3)
Other rationales For some applications, it may not be concern to keep
message secret, but it is important to authenticate message
SNMPv3:separates the functions of confidentiality and authentication
Separation of authentication and confidentiality functions affords architectural flexibility
Perform authentication at the application level but to provide confidentiality at a lower level
A user may wish to prolong the period of protection beyond the time of reception and yet allow processing the message content
![Page 17: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/17.jpg)
17
MAC (4)
Message authentication
![Page 18: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/18.jpg)
18
MAC (5)
Message authentication and confidentiality;Authentication tied to plaintext
![Page 19: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/19.jpg)
19
MAC (6)
Message authentication and confidentiality;
Authentication tied to ciphertext
![Page 20: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/20.jpg)
20
Basic Uses of MAC (Table 11.2)
![Page 21: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/21.jpg)
21
MAC Function
A MAC function is similar to encryption. One difference is that the MAC algorithm need not be reversible, as it must for decryption.
In general, the MAC function is a many-to-one function. If an n-bit MAC is used, then there are 2n possible MACs, whereas there are N possible messages with N>>2n.
![Page 22: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/22.jpg)
22
Requirements for MACs (1)
![Page 23: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/23.jpg)
23
Requirements for MACs (2) Taking into account the types of attacks Need the MAC to satisfy the following:
1. Knowing a message and MAC, is infeasible to find another message with same MAC
2. If we assume that the opponent does not know k but does have access to the MAC function and can present messages for MAC generation, then the opponent could try various messages until finding one that matches a given MAC. MACs should be uniformly distributed. A brute-force method would require, on average, 2(n-1) attempts.
3. The MAC should not be weaker with respect to certain parts or bits of the message than others.
![Page 24: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/24.jpg)
24
Using Symmetric Ciphers for MACs
Can use any block cipher chaining mode and use final block as a MAC
Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC
or the leftmost M bits (16≤M≤64) of final block
but final MAC is now too small for security
![Page 25: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/25.jpg)
25
DAC
Data Authentication Code (FIPS PUB 113 and ANSI standard X9.17)
![Page 26: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/26.jpg)
26
Hash Function
Definition A hash function accepts a variable-size message M as
input and produces a fixed-size hash code H(M) Sometime called a message digest Hash Algorithm
MD5 RFC 1321 developed by Ron Rivist at MIT
Secure Hash Algorithm (SHA) FIPS PUB 180 in 1993 (NIST) 180-1 in 1995 FISP: Federal Information Processing Standard
![Page 27: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/27.jpg)
27
Hash Function
PlaintextM
Message Digest
Hash value H(M)
![Page 28: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/28.jpg)
28
Requirements of Hash H can be applied to a block of data of any size H produces a fixed-length output H(x) is relatively easy to compute for any given x, making
both hardware and software implementations practical For any given code h, it is computationally infeasible to find x
such that H(x)=h. This is sometimes referred to in the literature as the one-way property
For any given block x, it is computationally infeasible to find yx with H(y)=H(x). This is sometimes referred to as weak collision resistance
It is computationally infeasible to find any pair (x,y) such that H(x)=H(y). This is sometimes referred to as strong collision resistance.
![Page 29: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/29.jpg)
29
Requirements of Hash
m1
m2
H(m1)
H(m2)
It is difficult to find m1 and m2 (m1 m2) such that H(m1)=H(m2)
![Page 30: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/30.jpg)
30
Basic Use of Hash (A)
![Page 31: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/31.jpg)
31
Basic Use of Hash (B)
![Page 32: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/32.jpg)
32
Basic Use of Hash (C)
![Page 33: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/33.jpg)
33
Security of Hash Functions
For a code of length n One-way: 2n
Weak collision resistance: 2n
Strong collision resistance: 2n/2
![Page 34: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/34.jpg)
34
The Famous Hash Functions
MD5 SHA
![Page 35: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/35.jpg)
35
SHA-1 Logic1. Append padding bits: pad message so its length is 448 mod
512 2. Append length: append a 64-bit length value to message3. Initialize MD buffer: initialise 5-word (160-bit) buffer
(A,B,C,D,E) to (67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. Process message in 512-bit (16-word) blocks: expand 16 words into 80 words by mixing & shifting use 4 rounds of 20 bit operations on message block & buffer add output to input to form new buffer value
5. Output: output hash value is the final buffer value
![Page 36: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/36.jpg)
36
SHA-1 Compression Function
Each round has 20 steps which replaces the 5 buffer words thus:(A,B,C,D,E) <-(E+f(t,B,C,D)+S5(A)+Wt+Kt),A,S30(B),C,D)
A,B,C,D,E refer to the 5 words of the buffer t is the step number, 0 t 79 f(t,B,C,D) is nonlinear function for round Wt is derived from the message block Kt is an additive constant value Sk is circular left shift by k bits
![Page 37: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/37.jpg)
37
SHA-1 Compression Function
![Page 38: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/38.jpg)
38
SHA-1 Compression Function
![Page 39: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/39.jpg)
39
Function Summarized
![Page 40: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/40.jpg)
40
80-word Input Sequence Wt=S1(Wt-16Wt-14 Wt-8 Wt-3)
![Page 41: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/41.jpg)
41
Comparison of SHA-1 and MD5
Brute force attack for SHA-1 is harder (160 vs 128 bits for MD5)
SHA-1 is not vulnerable to any known attacks (compared to MD4/5) ??
(Speed) SHA-1 is a little slower than MD5 (80 vs 64 steps)
Both designed is simple and compact SHA-1 uses big endian scheme (MD5 uses
little endian scheme)
![Page 42: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/42.jpg)
42
Revised Secure Hash Standard
NIST have issued a revision FIPS 180-2 and adds 3 additional hash algorithms: SHA-256, SHA-384, SHA-512.
Designed for compatibility with increased security provided by the AES cipher
Structure & detail are similar to SHA-1 and hence analysis should be similar.
![Page 43: Information Security and Management 11. Message Authentication and Hash Functions](https://reader033.fdocuments.in/reader033/viewer/2022051401/56814dd8550346895dbb4031/html5/thumbnails/43.jpg)
43
Comparison of SHA Properties