MESSAGE AUTHENTICATION andMESSAGE AUTHENTICATION and HASH FUNCTIONS - Chapter 11 HASH FUNCTIONS - Chapter 11

• Masquerade – message insertion, fraud, ACK

• Content Modification• Sequence Modification

– insertion, deletion, re-ordering• Timing Modification

– delay, replay

AUTHENTICATIONAUTHENTICATION

• Message Encryption – EK (M)• Message Authentication Code (MAC) – CK(M)• Hash Function – H(M)

BASIC USES OF MESSAGE ENCRYPTION

D estination BSour ce A

M

K

E

(a) Symmetric encryption: confidentiality and authentication

D M

K

F igur e 11.1 B asic U ses of M essage E ncr yption

M

K U b

K U b

E

(b) Public-key encryption: confidentiality

E K U b(M )

E K (M )

E K R a(M )

E K R a(M ) E K R a

(M )

E K U b[E K R a

(M )]

E K U b[E K R a

(M )]

D M

M E D M

M E D M

(c) Public-key encryption: authentication and signature

(d) Public-key encryption: confidentiality, authentication, and signature

E D

K U aK R a

K R b

K R bK R a K U a

INTERNAL AND EXTERNAL ERROR CONTROL

Destination BSour ce A

F igur e 11.2 I nter nal and E xter nal E r ror C ontrol

K

M | |

F

(a) Internal error control

MD

K

F

C ompare

EM

F (M ) F(M )

M | |E

(b) External error control

D

K

F

C ompare

K

F

E K [M ]

F (E K [M ])

E K [M ]

E K [M || F (M )]

M

STRUCTURESTRUCTUREFig 11.1a : Legitimacy test at B (intelligible)

- small subset of plaintext legitimate- structured

Fig 11.2a : Structured redundancy via FCS- internal ECC- authentication

Fig 11.2b : External ECC – opponent can construct code words

- authenticationAny ’structure’ will do

e.g. Fig 11.3

BASIC USES OF MESSAGE ENCRYPTION

D estination BSour ce A

M

K

E

(a) Symmetric encryption: confidentiality and authentication

D M

K

F igur e 11.1 B asic U ses of M essage E ncr yption

M

K U b

K U b

E

(b) Public-key encryption: confidentiality

E K U b(M )

E K (M )

E K R a(M )

E K R a(M ) E K R a

(M )

E K U b[E K R a

(M )]

E K U b[E K R a

(M )]

D M

M E D M

M E D M

(c) Public-key encryption: authentication and signature

(d) Public-key encryption: confidentiality, authentication, and signature

E D

K U aK R a

K R b

K R bK R a K U a

PUBLIC-KEYPUBLIC-KEY Fig 11.1b : Confidentiality

Fig 11.1c : Authentication - plaintext needs structure

Signature - only A could have sent, not even B

Fig 11.1 : Confidentality / Authentication Table 11.1

TCP SEGMENT

Sour ce P or t Destination P or t

C heck sum U r gent P ointer

Sequence N umber

A ck now ledgement N umber

O ptions + P adding

A pplication D ata

R eser ved F lags W indowDataoffset

0B it: 4 10 16 312

0 o

ct

et

s

F igur e 11.3 T C P Segment

BASIC USES of MESSAGE AUTHENTICATION CODE (MAC)

Destination BSour ce A

M | |

K

C

(a) M essage authentication

M E| |

(c) M essage authentication and confidentiality; authentication tied to ciphertext

F igur e 11.4 B asic U ses of M essage A uthentication C ode (M A C )

M

C K (M )

E K 2[M || C K 1(M )]

C K 1(M )

C K 1[E K 2(M )]

E K 2[M ]

C

CompareK

EM | |

K 1K 2 K 2

K 2 K 2

K 1

K 1

K 1

C

(b) M essage authentication and confidentiality; authentication tied to plaintext

MDC

C ompare

C

C

Compare

DM

MACMAC

A, B share key, KMAC =CK(M)Transmit message + MAC (Fig 11.4a)MAC not necessarily reversible- less vulnerable than encryption

BASIC USES of MESSAGE AUTHENTICATION CODE (MAC)

Destination BSour ce A

M | |

K

C

(a) M essage authentication

M E| |

(c) M essage authentication and confidentiality; authentication tied to ciphertext

F igur e 11.4 B asic U ses of M essage A uthentication C ode (M A C )

M

C K (M )

E K 2[M || C K 1(M )]

C K 1(M )

C K 1[E K 2(M )]

E K 2[M ]

C

CompareK

EM | |

K 1K 2 K 2

K 2 K 2

K 1

K 1

K 1

C

(b) M essage authentication and confidentiality; authentication tied to plaintext

MDC

C ompare

C

C

Compare

DM

Authentication + Confidentiality

Figs 11.4b and 11.4c - Two separate keys (Table 11.2) - Fig 11.4b preferred

Use MAC, not conventional Encryption - MAC gives no signature - sender/receiver share key

Authentication + Confidentiality SCENARIOS

1. Broadcast message – one destination monitors authenticity

2. Heavy load – selective authentication3. SporadicAuthentication of computer program4. Secrecy Unimportant5. Separation of authentication and confidentiality - flexible6. Prolong protection against modification

14

BASIC USES OF HASH FUNCTION

E

K

M

H

| | D

K

M

H(M )

H

C ompare

(a)

M

H

| |

K

K Ra K U a

(b)

M

D

H

C ompareK

F igur e 11.5 B asic U ses of H ash F unction (page 1 of 2)

E

M

H

| |

(c)

M

E D

H

C ompare

E K [M || H (M )]

E K [H (M )]

E KR a[H (M )]

D estination BSour ce A

15

BASIC USES OF HASH FUNCTION

| |S

M

H

| | E

K R a K U a

E

K

D

K

M

D

H

C ompare

(d)

M

H

| |

S(e)

| |

M

H(M || S)

H(M || S)

H

C ompare

M

H

| |

S(f)

| |

E

K

| |S H

Compare

MD

K

F igur e 11.5 B asic U ses of H ash F unction (page 2 of 2)

E K R a[H (M )]

E K [M || E KR a[H (M )] ]

E K [M || H (M || S) ]

D estination BSour ce A

1616

HASH FUNCTIONSHASH FUNCTIONS variable size variable size fixed size fixed size

MM H(M)H(M)

MM||H(M)H(M) (error detection) (error detection)

Fig 11.5 – Table 11-3Fig 11.5 – Table 11-3

(b) and (c) require less computation(b) and (c) require less computation

(e) - no encryption(e) - no encryption

1717

FOR AUTHENTICATION: FOR AUTHENTICATION: COMPARE HASH WITH COMPARE HASH WITH

ENCRYPTION ENCRYPTION

Encryption is:• Slow• Costly in hardware• Optimised for large data blocks• Patented• Export control

1818

MACMACMAC = CMAC = CKK(M)(M) many-to-onemany-to-one, domain is , domain is arbitrary lengtharbitrary lengthAttack:Attack: MAC MAC collisionscollisions : 2 : 2kk keys, 2 keys, 2nn MACs, 2 MACs, 2nn < 2 < 2k k

Many keys for one MAC : opponent cannot Many keys for one MAC : opponent cannot choose choose

Opponent must Opponent must iterate attackiterate attack for many MACs: for many MACs: Round 1 : 2Round 1 : 2k-nk-n keys keys Round 2 : 2Round 2 : 2k-2nk-2n keys keys .. .. .... .. .. Round r : 1 key Round r : 1 key

1919

MAC PROPERTIESMAC PROPERTIES1.1. Given M and CGiven M and CKK(M),(M),

too much worktoo much work to construct M’ such that, to construct M’ such that,

CCKK(M’) = C(M’) = CKK(M)(M)

2. C2. CKK(M) (M) uniformly distributeduniformly distributed::

pr(Cpr(CKK(M) = C(M) = CKK(M’)) = 2(M’)) = 2-n-n

20

DATA AUTHENTICATION ALGORITHM (CBC Mode)

¥ ¥ ¥

F igur e 11.6 D ata A uthentication A lgor ithm (F I P S P U B 113)

T ime = 1

DE SE ncryptK

(56 bits)

T ime = 2

DE SE ncryptK

+

T ime = N

DE SE ncrypt

+

DE SE ncrypt

T ime = N Ð 1

+

K

(64 bits)

D 1 D 2 D NÐ1

O 1 O 2 O N

D N

O NÐ1

(64 bits)

DA C(16 to 64 bits)

K

2121

HASH FUNCTIONSHASH FUNCTIONSh = H(x) - file fingerprinth = H(x) - file fingerprint

Properties:Properties:

1. Any size input1. Any size input

2. Fixed-size output2. Fixed-size output

3. H(x) easy to compute3. H(x) easy to compute

4. Infeasible to compute x given h – 4. Infeasible to compute x given h – (one-way) (one-way) – 2– 2nn

5. 5. (Weak Collision Resistance) (Weak Collision Resistance) – 2– 2nn

Given x, infeasible to compute y not equal to x Given x, infeasible to compute y not equal to x such that, H(y) such that, H(y) = H(x) - prevents forgery= H(x) - prevents forgery

6. 6. (Strong Collision Resistance) (Strong Collision Resistance) – 2– 2n/2n/2

Infeasible to find (x,y) such that H(x) = H(y)Infeasible to find (x,y) such that H(x) = H(y)

- - Birthday AttackBirthday Attack

2222

BIRTHDAY ATTACKBIRTHDAY ATTACK Given M , find M’ such that H(M’) = H(M)Given M , find M’ such that H(M’) = H(M)

~ 2~ 2n-1n-1 hashes hashes

But (Fig 11.5c),But (Fig 11.5c),• Prepare 2Prepare 2n/2n/2 variations of M variations of M• Prepare 2Prepare 2n/2n/2 variations of M’ variations of M’• Search for H(M) = H(M’)Search for H(M) = H(M’)• Pr(success) > 0.5 using 2Pr(success) > 0.5 using 2n/2n/2 hashes hashes• A signs M A signs M H(M) H(M)• Opponent Opponent substitutessubstitutes M’ for M M’ for M• A encrypts A encrypts M’M’||H(M)H(M)

2323

MEET-IN-THE-MIDDLEMEET-IN-THE-MIDDLE ATTACKATTACK• Block ChainingBlock Chaining

Given M = MGiven M = M11 | M | M22 | ………| M | ………| MNN

HH00 = init = init

HHii = E = EMMii[H[Hi-1i-1]]

G = HG = HNN

Opponent has Opponent has MM and encrypted signature, and encrypted signature, GG• Construct arbitrary messageConstruct arbitrary message QQ11 | Q | Q22 | …….| Q | …….| QN-2N-2

• Compute HCompute Hii = E = EQiQi[H[Hi-1i-1]] up to H up to HN-2N-2

• Find X,YFind X,Y such that E such that EXX[H[HN-2N-2] = D] = DYY[G] (prob 2[G] (prob 2n/2n/2))• ConstructConstruct Q Q11 | Q | Q22 | ….| Q | ….| QN-2N-2 | X | Y = M’ | X | Y = M’• SubstituteSubstitute M’ for M M’ for M

2424

BRUTE-FORCE BRUTE-FORCE ATTACKSATTACKS

Hash : Hash : 22n/2n/2

MAC : MAC : min(2min(2kk,2,2nn)) - like symmetric encryp.- like symmetric encryp.

25

SECURE HASH CODE

f fnn n

I V =C V 0 CV 1

b

n

C V L Ð1

C V Ln

b

Y 0 Y 1 Y L Ð1

IV = Initial valueC V = chaining variableY i = ith input blockf = compression algorithmL = number of input blocksn = length of hash codeb = length of input block

F igur e 11.10 G ener al Structur e of Secur e H ash C ode

b

f

If compression function collision-resistant then so is iterated hash function

26

THE BIRTHDAY PARADOX1.0

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

0.0

706050403020100k

P(

36

5,

k)

F igur e 11.11 T he B irthday P ar adox