Lecture 04 Message Authentication and Hash Functions Supakorn Kungpisdan, Ph.D. [email protected].

Lecture 04Message Authentication

and Hash FunctionsSupakorn Kungpisdan, Ph.D.

[email protected]

ITEC4614 Network Security and Implementation 2

Outline

Authentication Requirements Authentication Functions Hash and MAC Algorithms


What is Authentication?

A procedure to verify that received messages come from the alleged sourced and have not been altered. Digital Signature is one of the techniques including

countermeasure of repudiation by either source or destination.


Authentication Requirements

Possible attacks1. Disclosure2. Traffic Analysis3. Masquerade4. Content Modification5. Sequence Modification6. Timing Modification7. Repudiation: source and destination repudiation

Attacks#1-2 -> Confidentiality Attacks#3-7 -> Authentication

Especially #7 is related to Digital Signature


Authentication Functions

3 Types of cryptographic operations related to authentication: Message Encryption Message Authentication Code (MAC) Hash Function


Message Encryption

Conventional Encryption


Conventional Encryption (cont.)

Conventional encryption provides a weak form of authentication

If Bob can recover a message encrypted with a shared key between Alice and Bob, Bob knows that Alice sent this message.

If the message has been altered, Bob would not be able to read it.


Message Encryption (cont.)

Public-key Encryption


Confidentiality and Authentication Implications of Message Encryption


Confidentiality and Authentication Implications of Msg Encryption (cont.)


Message Authentication Codes (MACs)

MAC involves the use of a secret key to generate a small fixed-size block of data.

A MAC is known as a cryptographic checksum:

MAC = CK(M)where M is a variable-length message,

K is a secret key shared between sender and receiver, and

CK is fixed-length authenticator MAC is appended to the message and sent over to receiver.


Message Authentication Code

MAC is irreversible, but encryption isn’t.1. Alice and Bob share the secret K1.2. Alice calculates MAC1 = CK1(M)

AliceBob: {M, MAC1}3. Bob calculates MAC2 = CK1(M)

If MAC2 = MAC1, M is sent from Alice and not altered

Confidentiality can be provided by encryption with another shared key. AliceBob: {M, MAC1}K2


Requirements for MACs

1. If an opponent observes M and CK(M), it should be computationally infeasible to construct M’ such that CK(M’) = CK(M).

2. CK(M) should be uniformly distributed in the sense that for randomly chosen messages, M and M’, the probability that CK(M) = CK(M’) is 2-n, where n is the number of bits in the MAC.

3. Let M’ be equal to some known transformation on M. That is, M’ = f(M). E.g. f may involve inverting one or more specific bits.

In that case, Pr[CK(M) = CK(M’)] = 2-n.

Using Symmetric Ciphers for MACs

can use any block cipher chaining mode and use final block as a MAC

Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC

or the leftmost M bits (16≤M≤64) of final block

but final MAC is now too small for security

14ITEC4614 Network Security and Implementation

Data Authentication Algorithm



Hash Functions

A (one-way) hash function accepts a variable-size message M as input and produces a fixed-size hash code H(M) as output (called Message Digest)

Hash code provides error detection -> a change in one bit of message results in a change to the hash code.


Requirements for a Hash Functions

1. H can be applied to a block of data of any size.2. H produces a fixed-length output.3. It is easy to compute H(x) from any given x.4. For any given h, computationally infeasible to find x, where H(x) =

h (“one-way property”)5. For any x, computationally infeasible to find y, y≠x, H(y) = H(x)

(“weak collision resistance”)6. Computationally infeasible to find any pair of (x, y) such than H(x)

= H(y) (“strong collision resistance”)


Simple Hash Function

Bit-by-bit exclusive-OR (XOR)

Ci = bi1 bi2 … bim

where Ci = ith bit of the hash code, 1 ≤ i ≤ n

m = no. of n-bit blocks in the input

bij = ith bit in jth block

= XOR operation


Basic Uses of Hash Functions

Digital Signature


Basic Uses of Hash Functions (cont.)

S is shared btw sender and receiver

Hash and MAC Algorithms

Hash Functions condense arbitrary size message to fixed size by processing message in blocks through some compression function either custom or block cipher based

Message Authentication Code (MAC) fixed sized authenticator for some message to provide authentication for message by using block cipher mode or hash function



Roadmap

Authentication Requirements Authentication Functions Hash and MAC Algorithms

MD5 SHA-1 HMAC


General Structure of Hash Function

f: compression function taking two inputs and producing n-bit output

CV0 = IV = initial n-bit value

CVi = f(CVi-1, Yi-1), 1 ≤ i ≤ L

H(M) = CVL


MD5 Message Digest Algorithm


MD5 Steps

1. Append padding bits: up to 64 bits less than multiple of 512 bits2. Append length: 64-bit representation of the length in bits. If message is longer

than 264 bits, only low-order 64 bits of the length are used. Message length = K mod 264. K is the message represented in

decimal number. The message is represented as a sequence of 512-bit blocks Y0, Y1,

…, YL-1

So, we have L blocks of 512 bits Each block is divided into 16 32-bit words. Total number of words in the message is N represented by M[0,…, N-

1]

N = L x 16


MD5 Steps (cont.)

3. Initialize MD buffer The buffer is represented as

4 32-bit registers (A, B, C, D) Initialization value (in HEX)

A: 01 23 45 67 (32 bits)

B: 89 AB CD EFC: FE DC BA 98D: 76 54 32 10


MD5 Steps (cont.)

4. Process message in 512-bit (16-word) blocks


MD5 Steps (cont.)

5. OutputCV0 = IV

CVq+1 = SUM32(CVq,RFI[Yq,RFH[Yq,RFG[Yq,RFF[Yq,CVq]]]])MD = CVL

IV = initial value of ABCD bufferYq = the qth 512-bit block of the messageL = the number of blocks in the messageCVq = chaining variable processed with qth message blockRFx = round function using primitive function xMD = final message digest valueSUM32 = Addition modulo 232 performed separately on each word of the pair of inputs


MD5 Compression Function

S-bit circular left shift

Addition modulo


MD5 Compression Function (cont.)

Each step is in the form:

a <- b + ((a + g(b,c,d)) + X[k] + T[i] <<< s)

a,b,c,d = four words of the bufferg = one of the primitive functions F,G,H,I<<<s = s-bit circular left shiftX[k] = M[q x 16 + k] = the kth 32-bit word in the qth 512-bit-block of the messageT[i] = the ith 32-bit word in matrix T+ = addition modulo 232


MD5 Update Algorithm

L = N/161 block = 16 words


SHA-1

MD5 accepts arbitrary length of input and produces 128-bit output.

SHA-1 accepts arbitrary length (less than 264 bits) of input and produces 160-bit output.


SHA-1 Steps

1. Append padding bits to 64 bits less than multiple of 512 bit (length 448 mod 512)

2. Append length: length of original message in binary (64 bits)3. Initialize MD buffer (160 bits)

Initialization valueA: 67 45 23 01B: EF CD AB 89C: 98 BA DC FED: 10 32 54 76E: C3 D2 E1 F0


SHA-1 Steps (cont.)

4. Process message in 512-bit (16-word) blocks: for each 512-bit message to be processed, 4 rounds, 20 steps each (compared to 16 steps each in MD5) So, 80 steps for 4 rounds


SHA-1 Steps (cont.)


SHA-1 Steps (cont.)

5. Output After all 512-bit blocks have been processed, the output from Lth

stage is the 160-bit message digest.

CV0 = IVCVq+1 = SUM32(CVq, ABCDEq)

IV = initial value of ABCDE bufferABCDEq = the output of the last round of processing of the qth message blocksL = no. of message blocksSUM32 = Addition modulo 232


SHA-1 Compression Function In each of the 80 rounds of processing one 512-bit message block

A,B,C,D,E <- (E + f(t, B, C, D) + S5(A) + Wt + Kt), A, S30(B), C, D

A,B,C,D,E = words of the buffert = step number, 0 ≤ t ≤ 79f(t,B,C,D) = primitive function for step tSk = k-bit circular shift of the 32-bit argumentWt = a 32-bit word derived from the current 512-bit input blockKt = an additive constant for step t+ = addition modulo 232


SHA-1 Compression Function (cont.)


SHA-1 Compression Function (cont.)

Wt = S1(Wt-16 Wt-14 Wt-8 Wt-3)


SHA-1 VS MD5

Security against brute-force attacks Length of SHA-1 output is longer than that of MD5

Security against cryptanalysis Both MD5 and SHA-1 are reported collision

Speed SHA-1 is slower than MD5 80 versus 64 steps each

round Simplicity and compactness

Both are simple

SHA-2

NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA

SHA-256, SHA-384, SHA-512 designed for compatibility with increased security

provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher


SHA-512 Overview


Keyed Hash Functions as MACs

want a MAC based on a hash function because hash functions are generally faster code for crypto hash functions widely available

hash includes a key along with message original proposal:

KeyedHash = Hash(Key|Message) some weaknesses were found with this

eventually led to development of HMAC



HMAC (Hashed MAC)

A MAC based on a cryptographic hash code Motivations:

Executing a hash function faster than a symmetric encryption Library code for hash functions is widely available. No export restrictions from the US to other countries

HMAC

specified as Internet standard RFC2104 uses hash function on the message:

HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]

where K+ is the key padded out to size and opad, ipad are specified padding constants overhead is just 3 more hash calculations than the

message needs alone any hash function can be used

eg. MD5, SHA-1, RIPEMD-160, Whirlpool



H = hash functionM = MessageYi = ith block of M, 0 ≤ i ≤ L-1L = no. of blocks in Mb = no. of bits in a block (based on chosen hash fn)n = length of hash codeK = secret keyK+ = K padded with zeros on the left so that the length is b bitsipad = 00110110 repeated b/8 timesopad = 01011010 repeated b/8 times

HMACK = H[(K+ opad)||H[(K+ ipad)||M]]

HMAC Algorithm


Advantages of HMAC

Existing hash function can be implemented in HMAC Easy to replace with more secure or updated hash algorithm HMAC is proven more secure than hash algorithms

HMAC Security

proved security of HMAC relates to that of the underlying hash algorithm

attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe

a very large number of messages) choose hash function used based on speed verses

security constraints


Questions?

Quiz

1. Describe the difference between hash functions and MACs in terms of security and their usages

2. Can we product a MAC using:2.1 symmetric encryption?2.2 public-key encryption?

Then compare them with HMAC


Lecture 04 Message Authentication and Hash Functions Supakorn Kungpisdan, Ph.D. [email protected].

Documents

Transcript of Lecture 04 Message Authentication and Hash Functions Supakorn Kungpisdan, Ph.D. [email protected].