訊息鑑別 ( Message Authentication )
-
Upload
aubrey-chapman -
Category
Documents
-
view
86 -
download
8
description
Transcript of 訊息鑑別 ( Message Authentication )
© The McGraw-Hill Companies, Inc., 2007
訊息鑑別(Message Authentication)
2
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
8.1 前言8.2 單向赫序函數8.3 文件訊息完整性驗證8.4 MD58.5 SHA8.6 文件訊息的來源驗證8.7 文件訊息鑑別碼
本章內容
3
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
8.1 前言• 在網路上公開的傳送文件訊息 (Document or Me
ssage) 很容易遭到駭客攔截竄改、新增、或刪除等攻擊。– 需對文件訊息作完整性 (Integrity) 驗證。
• 該文件訊息是否確實為某人所送過來的文件訊息,而非由他人假冒。– 需驗證訊息的來源是否正確。
4
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
◎ 單向赫序函數二個主要功能 (1) 將文件訊息打散及重組,使其不能再還原
為原始文件訊息。 (2) 將任意長度的文件訊息壓縮成固定長度的
訊息摘要。◎ 數學式子 MD=H(M) H(.) :一單向赫序函數
M :表一任意長度文件訊息
8.2 單向赫序函數
5
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
◎ 單向赫序函數三種特性 (1) 給定文件訊息 M ,可很容易算出其對應的訊息
摘要 MD 。 (2) 給定一訊息摘要 MD ,很難從 MD 去找到一個
文件訊息 M 〞,使 H(M 〞 )= MD 。 (3) 給定一文件訊息 M ,很難再找到另一文件訊息
M 〞,使 H(M)=H(M 〞 ) 。
單向赫序函數特性
6
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
◎ 以單向赫序函數做文件訊息的完整驗證,其驗證 方式如下:
8.3 文件訊息完整性驗證
7
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
8.4 MD5
• MD5 was developed by Ron Rivest at MIT
• Arbitrary Length Message MD5 128-bit Message
• MD5 was developed by Ron Rivest at MIT
• Arbitrary Length Message MD5 128-bit Message
IntroductionIntroduction
8
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
9
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
MD5 Message Digest Algorithm
10
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
MD5 Message Digest Algorithm (續)
Initial Vector, IVInitial Vector, IV
A: 01 23 45 67
B: 89 AB CD EF
C: FE DC BA 98
D: 76 54 32 10
Note: hexadecimal values
11
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
MD5 Processing of a Single 512-bit Block
F, T[1…16], X[i]16 steps
+ + + +
G, T[17…32], X[ρ2i]16 steps
H, T[33…48], X[ρ3i]16 steps
I, T[49…64], X[ρ4i]16 steps
A B C D
A B C D
A B C D
A B C D
32
128
128
CVq
CVq+1
Yq
512
F, G, H, I: four primitive logical function
T[i]: Table T, constructed from the sine function
X[k]: Array X
+: addition modulo 232
MD5 Compression Function
12
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
MD5 Compression Function
R o u n d P r i m i t i v e
f u n c t i o n g g ( b , c , d )
1 F ( b , c , d ) dbdb
2 G ( b , c , d ) dcdb
3 H ( b , c , d ) dcb
4 I ( b , c , d ) dbc
Primitive Logical FunctionPrimitive Logical FunctionTruth table of logical functions
b c d F G H I
0 0 0 0 0 0 1
0 0 1 1 0 1 0
0 1 0 0 1 1 0
0 1 1 1 0 0 1
1 0 0 0 0 1 1
1 0 1 0 1 0 1
1 1 0 1 1 0 0
1 1 1 1 1 1 0
13
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
MD5 Compression Function (續)
Table TTable T
T[i] = 232 abs(sin(i))
sin: sine function
Example:T[1] = D76AA478
T[2] = E8C7B756
T[3] = 242070DB
…
T[64] = EB86D391
14
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
MD5 Compression Function (續)
Array XArray XArray XArray X
X[k]: Array X,
X[k] = M[q 16 + k]
= the kth 32-bit word in the qth 512-bit block of the message
Permutation Permutation ρρPermutation Permutation ρρ
ρ2(i) = (1 + 5i) mod 16
ρ3(i) = (5 + 3i) mod 16
ρ4(i) = 7i mod 16
15
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
Elementary MD5 Operation (single step)
A B C D
g+
A B C D
+
+CLSs
+
X[k]
T[i]
CLSs: <<< s, Circular Left Shift s bits
Primitive Logical Function
16
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
8.5 Secure Hash Algorithm (SHA-1)
IntroductionIntroductionIntroductionIntroduction
• SHA was developed by the National Institute of Standard and Technology(NIST)
• SHA was published as a federal information processing standard(FIPS PUB 180) in 1993
• Maximum length of less than 264 Message SHA 160-bit Message
• SHA was developed by the National Institute of Standard and Technology(NIST)
• SHA was published as a federal information processing standard(FIPS PUB 180) in 1993
• Maximum length of less than 264 Message SHA 160-bit Message
17
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
• ANSI : American National Standards Institute ( 美國國家標準局 ) ANSI 是美國主要的標準訂定單位,它負責訂定許多資訊處理方面的定義及標準。 ANSI 是代表出席 ISO 的美國代表。
• NIST : National Institute of Standards and Technology ( 美國國家標準技術局 ) 美國國家標準技術局 ( 前身為 National Bureau of Standards) 隸屬美國商業部,是發展標準的主要生力軍, NIST 底下的電腦科學技術局 (The Institute for Computer Sciences and Technology) 為美國研發並出版 FIPS 標準 (Federal Information Processing Standards) ,聯邦機構依此標準購買電腦設備。
18
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
• FIPS : Federal Information Processing Standards(聯邦資訊處理標準)聯邦資訊處理標準是美國聯邦政府用來定義政府機構購買資訊系統的要求條件以及審核電腦及通訊系統的一套標準。常以 FIPS PUB xxxx 形式表達。
19
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
Secure Hash Algorithm (SHA-1) (續)
20
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
Initial Vector, IVInitial Vector, IVInitial Vector, IVInitial Vector, IV
A: 67 45 23 01
B: EF CD AB 89
C: 98 BA DC FE
D: C3 D2 E1 F0
E: C3 D2 E1 F0
Note: hexadecimal values
Secure Hash Algorithm (SHA-1) (續)
21
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
SHA-1 Processing of a Single 512-bit Block
f1, K, W[1…19] 20 steps
+ + + +
f2, K, W[20…39] 20 steps
f3, K, W[40…59]20 steps
f4, K, W[60…70]20 steps
A B C D
A B C D
A B C D
A B C D
32
160
160
CVq
CVq+1
Yq
512
+
E
E
E
E
f: primitive logical function
Kt: an additive constant; four distinct values are used, as defined previously
Wt: a 32-bit word derive from the current 512-bit input block
+: addition modulo 232
SHA-1 Compression Function
22
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
SHA-1 Compression Function
Primitive Logical FunctionPrimitive Logical FunctionPrimitive Logical FunctionPrimitive Logical Function
S t e p F u n c t i o n N a m e F u n c t i o n V a l u e
190 t f 1 = f ( t , B , C , D ) DBCB
3920 t f 2 = f ( t , B , C , D ) DCB
5940 t f 3 = f ( t , B , C , D ) DCDBCB
7960 t f 4 = f ( t , B , C , D ) DCB
23
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
SHA-1 Compression Function (續)
Truth table of logical functions for SHA-1
B C D f0…19 f 20…39 f 40…59 f 60…79 0 0 0 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 1 0 1 0 0 0 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0 1 0 1 1 1 1 1 1 1
24
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
SHA-1 Compression Function (續)
Four Additive Constant, KFour Additive Constant, KttFour Additive Constant, KFour Additive Constant, Ktt
Step Number Hexadecimal
0 t 19 Kt = 5A827999
20 t 39 Kt = 6ED9EBA1
40 t 59 Kt = 8F1BBCDC
60 t 79 Kt = CA62C1D6
25
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
SHA-1 Compression Function (續)
Yq
W0 W1 W15
XOR
S1
W16
XOR
S1
XOR
S1
Wt W79
512 bits W0 W2 W6 W8 Wt-16 W t-14 Wt-8 Wt-3 W63 W65 W71 W76
… … …Sk: <<< k, Circular Left Shift k bits
Array WArray WArray WArray W
Wt = S1(Wt-16 Wt-14 Wt-8 Wt-3)
26
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
Elementary SHA-1 Operation (single step)
A B C D
ft +
A B C D
+
+
+
E
E
S5
S30
Wt
Kt
27
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
Comparison of SHA-1 and MD5
• Security: – SHA-1 is more stronger against brute-force attacks than MD5– MD5 is vulnerable to cryptanalytic attacks, but SHA-1 is not
• Speed:– SHA-1 execute more slowly than MD5
• Simplicity and Compactness:– Both algorithm are simple to describe and simple to implement
28
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
8.6 文件訊息的來源驗證
單向赫序函數雖然可用來作訊息的完整性驗證但實際運用上卻是行不通的。
問題在於沒有對訊息的來源作鑑別。
29
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
植基於對稱式密碼系統的文件訊息鑑別機制
◎ 以對稱式密碼系統來作為文件訊息鑑別機制,其 驗證方式如下:
30
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
植基於公開金鑰密碼系統的文件訊息鑑別機制
◎ 以公開金鑰密碼系統來做數位簽章,其文件訊息 鑑別方式如下:
31
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
植基於金鑰相依單向赫序函數的文件訊息鑑別機制
◎為改善前面兩種方法需大量運算的缺點,便有了植基於金鑰相依單向赫序函數,此種機制又稱文件訊息鑑別碼(MAC):
32
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
8.7 文件訊息鑑別碼◎ 文件訊息鑑別碼(Message Authentication Code,MAC)可用來驗證文件訊息是否為約定好通訊的雙方所傳送,並可驗證文件訊息在傳遞過程中是否遭到竄改。
33
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
利用對稱式密碼系統及單向赫序函數所構成的 MAC
34
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
CBC-MAC
35
訊息鑑別
© The McGraw-Hill Companies, Inc., 2007
單向赫序函數 MAC
• 這種MAC類型是利用一單向赫序函數,配合一祕密金鑰所構成的文件訊息鑑別碼。• 此 類 的 文 件 訊 息 鑑 別 碼 機 制 也 可 讓 使 用 者 自 行 來決 定 要 採 用 何 種 單 向 赫 序 函 數 , 在 實 作 上 相 當 便 利也具有彈性。
• 串接方式可以是H(K||M),但不安全。較安全的串接方式是H(M||K)、H(K1||M||K2)、H(K,H(K||M))、H(K1,H(K2||M))