1 Message Authentication and Hash Functions G962110 何采宭.
-
Upload
dominic-kelley -
Category
Documents
-
view
226 -
download
3
Transcript of 1 Message Authentication and Hash Functions G962110 何采宭.
1
Message Message Authentication and Authentication and
Hash Functions Hash Functions G962110 G962110 何采宭何采宭
2
outlineoutline
Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of Hash Functions and Macs
3
Authentication RequirementsAuthentication Requirements
In the context of communications across a network, the following attacks can be identified:
1. Disclosure(洩漏 )2. Traffic analysis(流量分析 )3. Masquerade(偽裝 )4. Content modification(竄改內容 )5. Sequence modification(竄改順序 )6. Timing modification(竄改時序 )7. Source repudiation(來源端否認曾傳送內容 )8. Destination repudiation(目的端否認已收到訊息 )
屬於保密性的範圍
屬於訊息確認的範圍
數位簽
章數位簽
章及設
定
4
Authentication FunctionsAuthentication Functions
Any message authentication or digital signature mechanism has two levels of functionality
1. At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message
2. This lower-level function is then used as a primitive in a higher-level authentication protocol that enables a receiver to verify the authenticity of a message.
5
Authentication FunctionsAuthentication Functions
the types of functions that may be used to produce an authenticator. These may be grouped into three classes, as follows:
1. Message encryption: The ciphertext of the entire message serves as its authenticator
2. Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator
3. Hash function : A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator
6
Message Encryption Message Encryption
Message encryption by itself can provide a measure of authentication. The analysis differs for symmetric and public-key encryption schemes.
1.1. Symmetric EncryptionSymmetric Encryption
2.2. Public-Key EncryptionPublic-Key Encryption
3.3. Message Authentication CodeMessage Authentication Code
4.4. Hash FunctionHash Function
7
Symmetric Encryption Symmetric Encryption
8
Symmetric EncryptionSymmetric Encryption
suppose that we are transmitting English-language messages using a Caesar cipher with a shift of one (K = 1). A sends the following legitimate ciphertext:
nbsftfbupbutboeepftfbupbutboemjuumfmbnctfbujwz
B decrypts to produce the following plaintext:
mareseatoatsanddoeseatoatsandlittlelambseativy
9
Symmetric EncryptionSymmetric Encryption
A simple frequency analysis confirms that this message has the profile of ordinary English. On the other hand, if an opponent generates the following random sequence of letters:
zuvrsoevgqxlzwigamdvnmhpmccxiuureosfbcebtqxsxq
this decrypts to:
ytuqrndufpwkyvhfzlcumlgolbbwhttqdnreabdaspwrwp which does not fit the profile of ordinary English.
10
Symmetric EncryptionSymmetric Encryption
force the plaintext to have some structure that is easily recognized but that cannot be replicated without recourse to the encryption function Ex: error-detecting code (frame check
sequence, FCS/checksum)
11
Public-Key Encryption Public-Key Encryption
12
Public-Key EncryptionPublic-Key Encryption
13
Message Authentication Code Message Authentication Code
use of a secret key to generate a small fixed-size block of data that is appended to the message.
assumes that two communicating parties, say A and B, share a common secret key K.
When A has a message to send to B, it calculates the MAC as a function of the message and the key:MAC = CK (M), where M= input message C= MAC function K= shared secret key MAC= message authentication code
14
Message Authentication CodeMessage Authentication Code
if the received MAC matches the calculated MAC, then The receiver is assured that the message has not been altered The receiver is assured that the message is from the alleged
sender. If the message includes a sequence number (such as is used with
HDLC, X.25, and TCP), then the receiver can be assured of the proper sequence because an attacker cannot successfully alter the sequence number.
15
Message Authentication CodeMessage Authentication Code
16
Hash Function Hash Function
accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M).
Unlike a MAC, a hash code does not use a key but is a function only of the input message.
The hash code is a function of all the bits of the message and provides an error-detection capability: A change to any bit or bits in the message results in a change to the hash code.
17
Hash Function Hash Function
illustrates a variety of ways in which a hash code can be used to provide message authentication, as follows:
18
Hash Function Hash Function
19
Hash FunctionHash Function
20
Message Authentication Codes Message Authentication Codes
A MAC, also known as a cryptographic checksum, is generated by a function C of the form
MAC = CK (M) M is a variable-length message K is a secret key shared only by sender and receiver C(K, M) is the fixed-length authenticator.
is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult
21
Requirements for MACs Requirements for MACs
When an entire message is encrypted for confidentiality, using either symmetric or asymmetric encryption, the security of the scheme generally depends on the bit length of the key. brute-force attack
22
Requirements for MACsRequirements for MACs
taking into account the types of attacks need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message
23
Hash FunctionHash Function
A hash value h is generated by a function H of the form
h = H(M) M is a variable-length message H(M) is the fixed-length hash value
24
Requirements for a Hash Function
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x : H(x)=h• one-way property
5. given x is infeasible to find y : H(y)=H(x)• weak collision resistance
6. is infeasible to find any (x,y ): H(y)=H(x)• strong collision resistance
25
Simple Hash Functions
One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every block. This can be expressed as follows:
Ci = bi1 b⊕ i1 ... b⊕ ⊕ im Ci= ith bit of the hash code, 1 i n≦ ≦ M = number of n-bit blocks in the input Bij = ith bit in jth block ⊕ = XOR operation
26
Birthday Attacks
might think a 64-bit hash is secure Yuval proposed the following strategy:
opponent generates 2m/2 variations of a valid message
all with essentially the same meaning opponent also generates 2
m/2 variations of a desired fraudulent message
two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox)
have user sign the valid message, then substitute the forgery which will have a valid signature
The conclusion to be drawn from this is that the length of the hash code should be substantial
27
Block Chaining Techniques
number of proposals have been made for hash functions based on using a cipher block chaining technique, but without the secret key.
Divide a message M into fixed-size blocks M1, M2,..., MN and use a symmetric encryption system such as DES to compute the hash code G as follows: Ho= initial value
Hi= Emi[ Hi-1]
G= HN
28
Block Chaining Techniques
resulting hash is too small (64-bit) both due to direct birthday attack and to “meet-in-the-middle” attack
other variants also susceptible to attack
29
Security of Hash Functions and Macs
Just as with symmetric and public-key encryption, we can group attacks on hash functions and MACs into two categories: brute-force attacks and cryptanalysis.
30
Brute-Force Attacks
Hash Functions The strength of a hash function against brute-force
attacks depends solely on the length of the hash code produced by the algorithm. Recall from our discussion of hash functions that there are three desirable properties:
One-way: For any given code h, it is computationally infeasible to find x such that H(x) = h.
Weak collision resistance: For any given block x, it is computationally infeasible to find y x with H(y) = H(x).
Strong collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
31
Brute-Force Attacks
For a hash code of length n, the level of effort required, as we have seen is proportional to the following:
One way 2n
Weak collision resistance
2n
Strong collision resistance
2n/2
32
Brute-Force Attacks
Message Authentication Codes A brute-force attack on a MAC is a more difficult
undertaking because it requires known message-MAC pairs
can either attack keyspace (key search) or MAC at least 128-bit MAC is needed for security
33
Cryptanalysis
As with encryption algorithms, cryptanalytic attacks on hash functions and MAC algorithms seek to exploit some property of the algorithm to perform some attack other than an exhaustive search.
34
Hash Functions
CVCVi i = f[CV= f[CVi-1i-1, M, Mii]; H(M)=CV]; H(M)=CVLL
typically focus on collisions in function ftypically focus on collisions in function f like block ciphers is often composed of roundslike block ciphers is often composed of rounds attacks exploit properties of round functionsattacks exploit properties of round functions
35
Message Authentication Codes
The attacks that have been mounted on hash functions are rather complex and beyond our scope here.