Authentication Function 2: Message Authentication Code
-
Upload
lavanyakodidasu -
Category
Documents
-
view
580 -
download
0
Transcript of Authentication Function 2: Message Authentication Code
![Page 1: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/1.jpg)
Authentication Function 2:
Message Authentication Code
![Page 2: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/2.jpg)
Message Authentication Code (MAC)• generated by an algorithm that creates a small fixed-sized block
– depending on both message and some key– like encryption though need not be reversible (receiver also
recomputes it. No decryption needed)• appended to message as a signature• receiver performs same computation on message and checks it
matches the MAC• provides assurance that message is unaltered and comes from
sender– Message: M– Shared secret key: K– MAC function: C (For a message M: MACM = CK(M) )
![Page 3: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/3.jpg)
Message Authentication Code (MAC)
• If we assume that only receiver and sender knows the key, and if received MAC matches the calculated MAC, then
1. the receiver is assured that the message has not been altered
2. the receiver is assured that the message is from alleged sender.
3. the attacker cannot alter the sequence number
![Page 4: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/4.jpg)
Message Authentication Code (I)
MAC=MAC
![Page 5: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/5.jpg)
Message Authentication Code (II)
MAC MAC=
![Page 6: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/6.jpg)
Message Authentication Code (III)
MAC=MAC
![Page 7: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/7.jpg)
Importance of MAC
• as shown the MAC provides confidentiality• can also use encryption for secrecy
– generally use separate keys for each– can compute MAC either before or after
encryption– is generally regarded as better if done before
• why use a MAC?– sometimes only authentication is needed– sometimes need authentication to persist longer
than the encryption
![Page 8: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/8.jpg)
Uses of MAC
• Same message is broadcasts to a number of destinations.
eg. alarm signal in a military control server.• Time can be reduced in case of decrypting all incoming
messages.• It can save the processor resource and give assurance
of the integrity of the program
![Page 9: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/9.jpg)
MAC Properties
• a MAC is a cryptographic checksumMAC = CK(M)
– condenses a variable-length message M– using a secret key K– to a fixed-sized authenticator
• is a many-to-one function– potentially many messages have same
MAC
![Page 10: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/10.jpg)
Properties of MAC Function
• A MAC function is similar to encryption. But, it need not be reversible, as it must be for decryption.
• For n-bit MAC, there are 2n possible MACs. But there might be N >> 2n possible messages. So, it is a many-to-one function. – e.g. 100-bit messages and we use a 10-bit MAC.
There are 2100 different messages but only 210 different MACs. On average, each MAC represents 2100/210=290 different messages.
• It turned out that MAC is less vulnerable to be broken than encryption.
![Page 11: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/11.jpg)
Requirements for MAC Functions
• taking into account the types of attacks• Brute-force technique to discover the authentication key is as hard as
decryption without key– Suppose key size > MAC size (k>n). Given a known plaintext M1
and its MAC1=CK(M1):
• attacker may generate MACi=CKi(Mi) for all 2k keys. The opponent generates 2k MACs. But there are only 2n real MAC values.
• On average a total of 2k/2n=2(k-n) keys will produce a match
![Page 12: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/12.jpg)
Requirements for MAC Functions cont’
• and the opponent wouldn’t know which one is correct.• m round where k=m.n is needed to find the key.
• Need the MAC to satisfy the following:1. knowing a message and MAC, is infeasible to find another
message with same MAC2. MACs should be uniformly distributed3. MAC should depend equally on all bits of the message
![Page 13: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/13.jpg)
Hash Functions
• A one-way hash function can be used as the message authentication code.
• Other names: compression function, contraction function, message digest, fingerprint, cryptographic checksum, message integrity check (MIC), modification detection code (MDC).
• condenses arbitrary message to fixed size, H(M) • usually assume that the hash function is public and not keyed
– Contrary to the MAC which is keyed• hash used to detect changes to message• can use in various ways with message• most often to create a digital signature (when public/private key is
available)
![Page 14: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/14.jpg)
Hash Functions (I)
![Page 15: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/15.jpg)
Hash Functions (II)
![Page 16: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/16.jpg)
Hash Functions (III)
![Page 17: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/17.jpg)
Hash Functions (IV)
![Page 18: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/18.jpg)
Hash Functions (V)
S: Common secret value
(If attacker can do H-1(C)=S||M, then having also M, he can easily find S)
![Page 19: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/19.jpg)
Hash Functions (VI)
S: Common secret value
![Page 20: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/20.jpg)
Hash Function Properties
• a Hash Function produces a fingerprint of some file/message/data
h = H(M)• condenses a variable-length message M to a fixed-
sized fingerprint• assumed to be public
![Page 21: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/21.jpg)
Requirements for Hash Functions
1. can be applied to any sized message M2. produces fixed-length output h3. is easy to compute h=H(M) for any message M4. given h is infeasible to find x s.t. H(x)=h
• one-way property (level of effort needed by attacker ≈ 2m for hash code of length m)
5. given x is infeasible to find y s.t. H(y)=H(x)• weak collision resistance (level of effort needed 2m)
6. is infeasible to find any x,y s.t. H(y)=H(x)• strong collision resistance (level of effort needed 2m/2)
![Page 22: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/22.jpg)
Simple Hash Functions• are several proposals for simple functions• based on XOR of message blocks
– e.g. longitudinal redundancy check is a simple parity for each bit position Ci=bi1 bi2 … bim
• not secure since can manipulate bits (bij) in message that either not change hash code (C) or change the hash itself
• need a stronger cryptographic function (Chapter 12)
![Page 23: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/23.jpg)
The Secure Hash Algorithm (SHA-1)
SHA-1SHA-1
A message A message composed composed of b bitsof b bits
160-bit 160-bit message message digestdigest
![Page 24: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/24.jpg)
Step 1 -- Padding
Padding the total length of a padded message is multiple of 512
Every message is padded even if its length is already a multiple of 512
![Page 25: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/25.jpg)
Padding (cont.)
Message Message length1 zeros
64 bits
Multiple of 512
1 bit
![Page 26: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/26.jpg)
Padding (cont.)
Padding is done by appending to the input:A single bit, 1
Enough additional bits, all 0, to make the final 512 block exactly 448 bits long
A 64-bit integer representing the length of the original message in bits
![Page 27: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/27.jpg)
Example M = 01100010 11001010 1001 (20 bits)
Padding is done by appending to the input:A single bit, 1427 0sA 64-bit integer representing 20
Pad(M) = 01100010 11001010 10011000 … 00010100
![Page 28: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/28.jpg)
Example Length of M = 500 bits
Padding is done by appending to the input:A single bit, 1459 0sA 64-bit integer representing 500
Length of Pad(M) = 1024 bits
![Page 29: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/29.jpg)
Message Digest Generation Using SHA-1
![Page 30: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/30.jpg)
SHA-1 Processing of single 512-Bit Block
![Page 31: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/31.jpg)
SHA Overview1. pad message so that we have: length mod 512 = 448 or
equivalently length ≡ 448 (mod 512)2. append a 64-bit length value to message3. initialize 5-word (160-bit) buffer (A,B,C,D,E) to the following using
big-endian format:(67452301, efcdab89, 98badcfe, 10325476, c3d2e1f0)
4. process message in 16-word (512-bit) chunks:– expand 16 words into 80 words by mixing & shifting – use 4 rounds of 20 bit operations on message block & buffer – add output to input to form new buffer value
5. output hash value is the final buffer value
![Page 32: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/32.jpg)
Single 512-Bit Block Function in SHA-1
![Page 33: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/33.jpg)
Summary of SHA-1 Behavior
• The SHA-1 behaviour can be summarized as:– CV0 = IV– CVq+1= SUM32 [CVq, ABCDEq]– MD = CVL
• Where:– IV: Initial value (stored in ABCDE buffers)– ABCDEq: the output of the last round of processing in the qth 512-bit
block of the message– L: number of blocks in the message (including padding and the length
fields)– CVq: chaining variable processed with the qth block– SUM32: addition mod 232 performed separately on each word of the pair
of inputs– MD: final message digest value
![Page 34: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/34.jpg)
SHA-1 Compression Function
• each round has 20 steps which replaces the 5 buffer words thus:[A,B,C,D,E][(E+f(t,B,C,D)+S5(A)+Wt+Kt),A,S30(B),C,D]
• a,b,c,d refer to the 4 words of the buffer• t is the step number (0≤t≤79)• Sk: circular left-shift (rotation) of the 32-bit argument by k bits (same as
“<<< k”)• f(t,B,C,D) is a nonlinear function for round• Wt is derived from the message block • Kt is a additive constant value derived from integer part of 232 x i0.5 for
i=2,3,5,10.• All +’s are modulo 232 additions
![Page 35: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/35.jpg)
SHA-1 Compression Function
Circular Left Shift (rotation) by k bits
![Page 36: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/36.jpg)
Logical Functions f
• In terms of logical operations: – 0≤t≤19 f1= f(t,B,C,D)= BC + B’D– 20≤t≤39 f2= f(t,B,C,D)= B C D– 40≤t≤59 f3= f(t,B,C,D)= BC + BD + CD– 60≤t≤79 f4= f(t,B,C,D)= B C D
![Page 37: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/37.jpg)
Additive Constant Kt• Only 4 distinct constants are used:
![Page 38: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/38.jpg)
Hash Algorithms
![Page 39: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/39.jpg)
Hash Algorithms
• see similarities in the evolution of hash functions & block ciphers– increasing power of brute-force attacks– leading to evolution in algorithms– from DES to AES in block ciphers– from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash
algorithms• likewise tend to use common iterative structure
as do block ciphers
![Page 40: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/40.jpg)
MD5/MD4 Algorithm
![Page 41: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/41.jpg)
MD5
• designed by Ronald Rivest (the R in RSA – Rivest-Shamir-Adleman)
• latest in a series of MD2, MD4 • produces a 128-bit hash value• until recently was the most widely used hash algorithm
– in recent times have both brute-force & cryptanalytic concerns
• specified as Internet standard RFC1321
![Page 42: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/42.jpg)
MD5 Overview• Step 1: pad message so that we have: length mod 512 = 448 or equivalently length ≡ 448 (mod 512)
– The above makes the length of padded message to be 64 bits less than an integer multiple of 512 bits.
– Padding is always added even if the message is already of the desired length. e.g. if the message is 448 bits long, it is padded by 512 bits to a length of 960 bits.
– Number of padding bits is in range of 1 to 512 bits.– Padding is a single “1” followed by the necessary number of “0”s
• Step 2: append a 64-bit length value to message – This is K mod 264 where k is the length of message
![Page 43: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/43.jpg)
MD5 Overview (cont.)• Step 3: initialize 4-word (128-bit) MD buffer (A,B,C,D) to given
values:– A=67452301, B=EFCDAB89, C=98BADCFE, D=10325476 Save the values in little-endian format (the least significant byte of a
word in the low-address position)– Word A= 01 23 45 67, Word B= 89 AB CD EF, – Word C= FE DC BA 98 , Word D= 76 54 32 10
• Step 4: process message in 16-word (512-bit) blocks: – using 4 rounds of 16 bit operations on message block & buffer – add output to buffer input to form new buffer value
• Step 5: After all L 512-bit blocks have been processed the output from the Lth stage is the 128-bit message digest (hash code).
![Page 44: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/44.jpg)
MD5 Structure
![Page 45: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/45.jpg)
Single 512-bit (HMD5) Block
![Page 46: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/46.jpg)
Summary of MD5 Behavior• The MD5 behaviour can be summarized as:
– CV0 = IV– CVq+1= SUM32[CVq,RFI(Yq,RFH(Yq,RFG(Yq,RFF(Yq,CVq))))]– MD = CVL-1
• Where:– IV: Initial value (stored in ABCD buffers)– Yq: the qth 512-bit block of the message– L: number of blocks in the message– CVq: chaining variable processed with the qth block– RFx: round function using primitive logical function x– SUM32: addition mod 232 performed separately on each word of the pair
of inputs– MD: final message digest value
![Page 47: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/47.jpg)
MD5 Compression Function
• each round has 16 steps of the form: a = b + ((a + g(b,c,d) + X[k] + T[i]) <<< s)
• a,b,c,d refer to the 4 words of the buffer, but used in varying permutations– note this updates 1 word only of the buffer– after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function in each round (F,G,H,I) (see book for details)
• X[k]=M[q*16+k]=the kth 32-bit word in the qth 512-bit block of the message• T[i] is a constant value derived from sin, that is T[i] = 232 * abs[sin(i)] and can
be found in a lookup table (matrix T)• <<< s is circular shift of the 32-bit argument by s bits• All additions are modulo 232
![Page 48: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/48.jpg)
SHA-1 versus MD5
• brute force attack is harder (160 vs 128 bits for MD5)
• not vulnerable to any known attacks (compared to MD4/5)
• a little slower than MD5 (80 vs 64 steps) • both designed as simple and compact• optimized for big-endian CPU's (vs MD5 which is
optimised for little-endian CPU’s)
![Page 49: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/49.jpg)
Summary of SHA-384
![Page 50: Authentication Function 2: Message Authentication Code](https://reader033.fdocuments.net/reader033/viewer/2022061118/5468982daf79592a298b462e/html5/thumbnails/50.jpg)
Summary of SHA-512