1

Message Message Authentication and Authentication and

Hash Functions Hash Functions G962110 G962110 何采宭何采宭

2

outlineoutline

Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of Hash Functions and Macs

3

Authentication RequirementsAuthentication Requirements

In the context of communications across a network, the following attacks can be identified:

1. Disclosure(洩漏 )2. Traffic analysis(流量分析 )3. Masquerade(偽裝 )4. Content modification(竄改內容 )5. Sequence modification(竄改順序 )6. Timing modification(竄改時序 )7. Source repudiation(來源端否認曾傳送內容 )8. Destination repudiation(目的端否認已收到訊息 )

屬於保密性的範圍

屬於訊息確認的範圍

數位簽

章數位簽

章及設

定

4

Authentication FunctionsAuthentication Functions

Any message authentication or digital signature mechanism has two levels of functionality

1. At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message

2. This lower-level function is then used as a primitive in a higher-level authentication protocol that enables a receiver to verify the authenticity of a message.

5

Authentication FunctionsAuthentication Functions

the types of functions that may be used to produce an authenticator. These may be grouped into three classes, as follows:

1. Message encryption: The ciphertext of the entire message serves as its authenticator

2. Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator

3. Hash function : A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator

6

Message Encryption Message Encryption

Message encryption by itself can provide a measure of authentication. The analysis differs for symmetric and public-key encryption schemes.

1.1. Symmetric EncryptionSymmetric Encryption

2.2. Public-Key EncryptionPublic-Key Encryption

3.3. Message Authentication CodeMessage Authentication Code

4.4. Hash FunctionHash Function

7

Symmetric Encryption Symmetric Encryption

8

Symmetric EncryptionSymmetric Encryption

suppose that we are transmitting English-language messages using a Caesar cipher with a shift of one (K = 1). A sends the following legitimate ciphertext:

nbsftfbupbutboeepftfbupbutboemjuumfmbnctfbujwz

B decrypts to produce the following plaintext:

mareseatoatsanddoeseatoatsandlittlelambseativy

9

Symmetric EncryptionSymmetric Encryption

A simple frequency analysis confirms that this message has the profile of ordinary English. On the other hand, if an opponent generates the following random sequence of letters:

　　 zuvrsoevgqxlzwigamdvnmhpmccxiuureosfbcebtqxsxq

this decrypts to:

　　 ytuqrndufpwkyvhfzlcumlgolbbwhttqdnreabdaspwrwp which does not fit the profile of ordinary English.

10

Symmetric EncryptionSymmetric Encryption

force the plaintext to have some structure that is easily recognized but that cannot be replicated without recourse to the encryption function Ex: error-detecting code (frame check

sequence, FCS/checksum)

11

Public-Key Encryption Public-Key Encryption

12

Public-Key EncryptionPublic-Key Encryption

13

Message Authentication Code Message Authentication Code

use of a secret key to generate a small fixed-size block of data that is appended to the message.

assumes that two communicating parties, say A and B, share a common secret key K.

When A has a message to send to B, it calculates the MAC as a function of the message and the key:MAC = CK (M), where M= input message C= MAC function K= shared secret key MAC= message authentication code

14

Message Authentication CodeMessage Authentication Code

if the received MAC matches the calculated MAC, then The receiver is assured that the message has not been altered The receiver is assured that the message is from the alleged

sender. If the message includes a sequence number (such as is used with

HDLC, X.25, and TCP), then the receiver can be assured of the proper sequence because an attacker cannot successfully alter the sequence number.

15

Message Authentication CodeMessage Authentication Code

16

Hash Function Hash Function

accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M).

Unlike a MAC, a hash code does not use a key but is a function only of the input message.

The hash code is a function of all the bits of the message and provides an error-detection capability: A change to any bit or bits in the message results in a change to the hash code.

17

Hash Function Hash Function

illustrates a variety of ways in which a hash code can be used to provide message authentication, as follows:

18

Hash Function Hash Function

19

Hash FunctionHash Function

20

Message Authentication Codes Message Authentication Codes

A MAC, also known as a cryptographic checksum, is generated by a function C of the form

MAC = CK (M) M is a variable-length message K is a secret key shared only by sender and receiver C(K, M) is the fixed-length authenticator.

is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult

21

Requirements for MACs Requirements for MACs

When an entire message is encrypted for confidentiality, using either symmetric or asymmetric encryption, the security of the scheme generally depends on the bit length of the key. brute-force attack

22

Requirements for MACsRequirements for MACs

taking into account the types of attacks need the MAC to satisfy the following:

1. knowing a message and MAC, is infeasible to find another message with same MAC

2. MACs should be uniformly distributed

3. MAC should depend equally on all bits of the message

23

Hash FunctionHash Function

A hash value h is generated by a function H of the form

h = H(M) M is a variable-length message H(M) is the fixed-length hash value

24

Requirements for a Hash Function

1. can be applied to any sized message M

2. produces fixed-length output h

3. is easy to compute h=H(M) for any message M

4. given h is infeasible to find x : H(x)=h• one-way property

5. given x is infeasible to find y : H(y)=H(x)• weak collision resistance

6. is infeasible to find any (x,y ): H(y)=H(x)• strong collision resistance

25

Simple Hash Functions

One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every block. This can be expressed as follows:

Ci = bi1 b⊕ i1 ... b⊕ ⊕ im Ci= ith bit of the hash code, 1 i n≦ ≦ M = number of n-bit blocks in the input Bij = ith bit in jth block ⊕ = XOR operation

26

Birthday Attacks

might think a 64-bit hash is secure Yuval proposed the following strategy:

opponent generates 2m/2 variations of a valid message

all with essentially the same meaning opponent also generates 2

m/2 variations of a desired fraudulent message

two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox)

have user sign the valid message, then substitute the forgery which will have a valid signature

The conclusion to be drawn from this is that the length of the hash code should be substantial

27

Block Chaining Techniques

number of proposals have been made for hash functions based on using a cipher block chaining technique, but without the secret key.

Divide a message M into fixed-size blocks M1, M2,..., MN and use a symmetric encryption system such as DES to compute the hash code G as follows: Ho= initial value

Hi= Emi[ Hi-1]

G= HN

28

Block Chaining Techniques

resulting hash is too small (64-bit) both due to direct birthday attack and to “meet-in-the-middle” attack

other variants also susceptible to attack

29

Security of Hash Functions and Macs

Just as with symmetric and public-key encryption, we can group attacks on hash functions and MACs into two categories: brute-force attacks and cryptanalysis.

30

Brute-Force Attacks

Hash Functions The strength of a hash function against brute-force

attacks depends solely on the length of the hash code produced by the algorithm. Recall from our discussion of hash functions that there are three desirable properties:

One-way: For any given code h, it is computationally infeasible to find x such that H(x) = h.

Weak collision resistance: For any given block x, it is computationally infeasible to find y x with H(y) = H(x).

Strong collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).

31

Brute-Force Attacks

For a hash code of length n, the level of effort required, as we have seen is proportional to the following:

One way 2n

Weak collision resistance

2n

Strong collision resistance

2n/2

32

Brute-Force Attacks

Message Authentication Codes A brute-force attack on a MAC is a more difficult

undertaking because it requires known message-MAC pairs

can either attack keyspace (key search) or MAC at least 128-bit MAC is needed for security

33

Cryptanalysis

As with encryption algorithms, cryptanalytic attacks on hash functions and MAC algorithms seek to exploit some property of the algorithm to perform some attack other than an exhaustive search.

34

Hash Functions

CVCVi i = f[CV= f[CVi-1i-1, M, Mii]; H(M)=CV]; H(M)=CVLL

typically focus on collisions in function ftypically focus on collisions in function f like block ciphers is often composed of roundslike block ciphers is often composed of rounds attacks exploit properties of round functionsattacks exploit properties of round functions

35

Message Authentication Codes

The attacks that have been mounted on hash functions are rather complex and beyond our scope here.