Message Message Authentication and Authentication and

Hash FunctionsHash Functions

K. U. KhimaniK. U. Khimani

Asst. Prof.Asst. Prof.

IT Dept.IT Dept.

VVP Engineering CollegeVVP Engineering College

What is Authentication?What is Authentication?

In the context of computer systems, authentication is a process that ensures and confirms a user’s identity.

For example, ID-Password combination, biometrics(retina, fingerprints…), etc.

MessageMessage AuthenticationAuthentication

Message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution)*

Will consider the Security Requirements

Then three alternative functions used: Message Encryption Message Authentication Code (MAC) Hash Function

Message Security RequirementsMessage Security Requirements

disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination repudiation

In summary, message authentication is a procedure to verify that In summary, message authentication is a procedure to verify that received messages come from the alleged source and have not received messages come from the alleged source and have not been altered. Message authentication may also verify sequencing been altered. Message authentication may also verify sequencing

and timelinessand timeliness. .

Symmetric Message EncryptionSymmetric Message Encryption

Encryption can also provide Authentication. If symmetric encryption is used then:

receiver know sender must have created it since only sender and receiver now key used know content cannot of been altered

if message has suitable structure, redundancy or a checksum to detect any changes.

Public-Key Message EncryptionPublic-Key Message Encryption

If public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key however if sender signs message using their private-key,

then encrypts with recipients public key have both secrecy and authentication.

The disadvantage of this approach is that, the public key algorithm, which is complex, must be exercised four times rather than two in each communication.

Message Authentication Code Message Authentication Code (MAC)(MAC)

generated by an algorithm that creates a small fixed-sized block

depends on both message and some key

appended to message as a signature

receiver performs same computation on message and checks it matches the MAC

provides assurance that message is unaltered and comes from sender

MACMAC A small fixed-sized block of data

generated from message + secret key

MAC = C(K,M) M = input message C = MAC function K = shared secret key

appended to message when sent

MACMAC

as shown the MAC provides authenticationas shown the MAC provides authentication

can also use encryption for secrecycan also use encryption for secrecy generally use separate keys for eachgenerally use separate keys for each can compute MAC either before or after encryptioncan compute MAC either before or after encryption is generally regarded as better done beforeis generally regarded as better done before

why use a MAC?why use a MAC? sometimes only authentication is neededsometimes only authentication is needed

note that a MAC is not a digital signaturenote that a MAC is not a digital signature

Why MAC?Why MAC? Symmetric Encryption provides authentication and Symmetric Encryption provides authentication and

because it is widely used with readily available products, because it is widely used with readily available products, why not simply use this instead of a separate MAC?why not simply use this instead of a separate MAC?

We will discuss situations in which a message We will discuss situations in which a message authentication code is used.authentication code is used.

Why MAC?Why MAC?(1)(1)

There are a number of applications in which the same There are a number of applications in which the same message is broadcast to a number of destinations.message is broadcast to a number of destinations.E.g. notifications to users that the network is now E.g. notifications to users that the network is now unavailable or an alarm signal in a military control centre.unavailable or an alarm signal in a military control centre.It is cheaper and more reliable to have only one It is cheaper and more reliable to have only one destination responsible for monitoring authenticity.destination responsible for monitoring authenticity.Thus, the message must be broadcast in plaintext with an Thus, the message must be broadcast in plaintext with an associated MAC.associated MAC.The responsible system has the secret key and performs The responsible system has the secret key and performs authentication. If violation occurs, the other destination authentication. If violation occurs, the other destination systems are alerted by general alarm.systems are alerted by general alarm.

Why MAC?Why MAC?(2)(2)

Another possible scenario is an exchange in which one Another possible scenario is an exchange in which one side has a heavy load and cannot afford the time to decrypt side has a heavy load and cannot afford the time to decrypt all incoming messages.all incoming messages.Authentication is carried out on a selective basis, Authentication is carried out on a selective basis, message being chosen at random for checking.message being chosen at random for checking.

Why MAC?Why MAC?(3)(3)

Authentication of a computer program in plaintext as an Authentication of a computer program in plaintext as an attractive service.attractive service.The computer program can be executed without having to The computer program can be executed without having to decrypt it every time, which would be wasteful of processor decrypt it every time, which would be wasteful of processor resources.resources.However, if a MAC were attached to the program, it could However, if a MAC were attached to the program, it could be checked whenever assurance was required of the be checked whenever assurance was required of the integrity of the program.integrity of the program.

MACMAC

a MAC is a cryptographic checksuma MAC is a cryptographic checksum

MAC = CMAC = CKK(M)(M) condenses a variable-length message Mcondenses a variable-length message M using a secret key Kusing a secret key K to a fixed-sized authenticatorto a fixed-sized authenticator

is a many-to-one functionis a many-to-one function potentially many messages have same MACpotentially many messages have same MAC but finding these needs to be very difficultbut finding these needs to be very difficult

Requirements for MACsRequirements for MACs

taking into account the types of attacks, need the MAC taking into account the types of attacks, need the MAC to satisfy the following:to satisfy the following:

1.1. knowing a message and MAC, is infeasible to find knowing a message and MAC, is infeasible to find another message with same MACanother message with same MAC

2.2. MACs should be uniformly distributed in the sense MACs should be uniformly distributed in the sense that, for two randomly chosen messages, probability that, for two randomly chosen messages, probability that C(K,M) = C(K,M’) is 2^-n, where n is the that C(K,M) = C(K,M’) is 2^-n, where n is the number of bits in MAC.number of bits in MAC.

3.3. MAC should depend equally on all bits of the MAC should depend equally on all bits of the messagemessage

Using Symmetric Ciphers for Using Symmetric Ciphers for MACsMACs

can use any block cipher chaining mode and use final can use any block cipher chaining mode and use final block as a MACblock as a MAC

Data Authentication Algorithm (DAA)Data Authentication Algorithm (DAA) is a widely used is a widely used MAC based on DES-CBCMAC based on DES-CBC using IV=0 and zero-pad of final blockusing IV=0 and zero-pad of final block encrypt message using DES in CBC modeencrypt message using DES in CBC mode and send just the final block as the MACand send just the final block as the MAC

• or the leftmost M bits (16or the leftmost M bits (16≤M≤64) of final block≤M≤64) of final block

but final MAC is now too small for securitybut final MAC is now too small for security

Data Authentication AlgorithmData Authentication Algorithm

Hash FunctionsHash Functions

A hash value h is generated by a function H of the form h A hash value h is generated by a function H of the form h = H(M)= H(M)

where M is a variable-length message and H(M) where M is a variable-length message and H(M) is a fixed-length hash value.is a fixed-length hash value.

The hash value is appended to the message at the The hash value is appended to the message at the source. The receiver authenticates that message by source. The receiver authenticates that message by recomputing the hash value.recomputing the hash value.

Requirements of a Hash FunctionRequirements of a Hash Function

H can be applied to a block of data of any size.H can be applied to a block of data of any size. H produces a fixed-length output.H produces a fixed-length output. H(x) is relatively easy to compute for any given xH(x) is relatively easy to compute for any given x For any h, it is computationally infeasible to find x such For any h, it is computationally infeasible to find x such

that H(x) = h. It is One-way Property.that H(x) = h. It is One-way Property. For any given block x, it is computationally infeasible to For any given block x, it is computationally infeasible to

find y ≠ x such that H(y) = H(x). It is called Weak find y ≠ x such that H(y) = H(x). It is called Weak Collision Resistance.Collision Resistance.

It is computationally infeasible to find any It is computationally infeasible to find any xx and and yy, with , with x x y y such that such that H(x) = H(y). It is called Strong H(x) = H(y). It is called Strong Collision Resistance.Collision Resistance.

Basic uses of Hash FunctionBasic uses of Hash Function

Confidentiality and Authentication

Authentication

Authentication, Digital Signature

Basic uses of Hash FunctionBasic uses of Hash Function

Authentication, DS, Confidentiality

Authentication (No encryption needed)

Authentication, Confidentiality

Simple Hash FunctionSimple Hash Function

Security of MACs and HashSecurity of MACs and Hash

Just as with symmetric and public-key encryption, we Just as with symmetric and public-key encryption, we can group attacks on hash functions and MACs into two can group attacks on hash functions and MACs into two categories: brute-force attacks and cryptanalysis.categories: brute-force attacks and cryptanalysis.

brute-forcebrute-force attacks exploiting attacks exploiting strong collision resistance hash have cost 2strong collision resistance hash have cost 2

mm//22

• 128-bit hash looks vulnerable, 160-bits better128-bit hash looks vulnerable, 160-bits better MACs with known message-MAC pairsMACs with known message-MAC pairs

• can either attack key space (cf key search) or MACcan either attack key space (cf key search) or MAC• at least 128-bit MAC is needed for securityat least 128-bit MAC is needed for security

Security of MACs and HashSecurity of MACs and Hash

A brute-force attack on a MAC is a more difficult A brute-force attack on a MAC is a more difficult undertaking than a brute-force attack on a hash function undertaking than a brute-force attack on a hash function because it requires known message-MAC pairs.because it requires known message-MAC pairs.

A brute-force attack on MAC has cost related to A brute-force attack on MAC has cost related to min(2^k,2^n), similar to symmetric encryption algorithms. min(2^k,2^n), similar to symmetric encryption algorithms. It is required that min (k, n) >= N, where N is perhaps in It is required that min (k, n) >= N, where N is perhaps in the range of 128 bits.the range of 128 bits.

Security of MACs and HashSecurity of MACs and Hash cryptanalytic attackscryptanalytic attacks exploit internal structure of f and exploit internal structure of f and

is based on attempts to find efficient techniques for is based on attempts to find efficient techniques for producing collision for a single execution of f.producing collision for a single execution of f.

Once that is done, the attack must take into account the Once that is done, the attack must take into account the fixed value of IV.fixed value of IV. like block ciphers want brute-force attacks to be the like block ciphers want brute-force attacks to be the

best alternativebest alternative

more variety of MACs so harder to generalize about more variety of MACs so harder to generalize about cryptanalysis. cryptanalysis.

Keyed Hash Functions as MACsKeyed Hash Functions as MACs want a MAC based on a hash function want a MAC based on a hash function

because hash functions are generally fasterbecause hash functions are generally faster crypto hash function code is widely availablecrypto hash function code is widely available

hash includes a key along with messagehash includes a key along with message

original proposal:original proposal:

Keyed Hash = Hash(Key | Message) Keyed Hash = Hash(Key | Message) some weaknesses were found with this some weaknesses were found with this

eventually led to development of HMAC eventually led to development of HMAC

HMAC HMAC Design ObjectivesDesign Objectives

use, without modifications, hash functionsuse, without modifications, hash functions

allow for easy replaceability of embedded hash functionallow for easy replaceability of embedded hash function

preserve original performance of hash function without preserve original performance of hash function without significant degradationsignificant degradation

use and handle keys in a simple way.use and handle keys in a simple way.

have well understood cryptographic analysis of have well understood cryptographic analysis of authentication mechanism strengthauthentication mechanism strength

HMACHMAC

specified as Internet standard RFC2104 specified as Internet standard RFC2104 uses hash function on the message:uses hash function on the message:

HMACHMACKK(M)= Hash[(K(M)= Hash[(K++ XOR opad) || XOR opad) || Hash[(KHash[(K++ XOR ipad) || M)] ] XOR ipad) || M)] ]

o MM is the message to be authenticated, is the message to be authenticated,o ∥ ∥ denotes concatenation,denotes concatenation,o ⊕ ⊕ denotes exclusive or (XOR),denotes exclusive or (XOR),o KK++ is the key padded out to sizeis the key padded out to sizeo opadopad, , ipad ipad are specified padding constants are specified padding constants any hash function can be usedany hash function can be used

E.g. MD5, SHA-1, RIPEMD-160, WhirlpoolE.g. MD5, SHA-1, RIPEMD-160, Whirlpool

HMAC HMAC OverviewOverview

HMACHMAC

Append zeros to the left end of K to create a b-bit string Append zeros to the left end of K to create a b-bit string K+ (if K is of length 160 bits and b = 512, then K will be K+ (if K is of length 160 bits and b = 512, then K will be appended with 44 zero bytes).appended with 44 zero bytes).

HMAC HMAC SecuritySecurity

proved proved security of HMAC relates to that of the underlying security of HMAC relates to that of the underlying hash algorithmhash algorithm

attacking HMAC requires either:attacking HMAC requires either: brute force attack on key usedbrute force attack on key used birthday attack (but since keyed would need to birthday attack (but since keyed would need to

observe a very large number of messages)observe a very large number of messages)

choose hash function used based on speed verses choose hash function used based on speed verses security constraintssecurity constraints