Download - Authentication Function 2: Message Authentication Code

Transcript
Page 1: Authentication Function 2: Message Authentication Code

Authentication Function 2:

Message Authentication Code

Page 2: Authentication Function 2: Message Authentication Code

Message Authentication Code (MAC)• generated by an algorithm that creates a small fixed-sized block

– depending on both message and some key– like encryption though need not be reversible (receiver also

recomputes it. No decryption needed)• appended to message as a signature• receiver performs same computation on message and checks it

matches the MAC• provides assurance that message is unaltered and comes from

sender– Message: M– Shared secret key: K– MAC function: C (For a message M: MACM = CK(M) )

Page 3: Authentication Function 2: Message Authentication Code

Message Authentication Code (MAC)

• If we assume that only receiver and sender knows the key, and if received MAC matches the calculated MAC, then

1. the receiver is assured that the message has not been altered

2. the receiver is assured that the message is from alleged sender.

3. the attacker cannot alter the sequence number

Page 4: Authentication Function 2: Message Authentication Code

Message Authentication Code (I)

MAC=MAC

Page 5: Authentication Function 2: Message Authentication Code

Message Authentication Code (II)

MAC MAC=

Page 6: Authentication Function 2: Message Authentication Code

Message Authentication Code (III)

MAC=MAC

Page 7: Authentication Function 2: Message Authentication Code

Importance of MAC

• as shown the MAC provides confidentiality• can also use encryption for secrecy

– generally use separate keys for each– can compute MAC either before or after

encryption– is generally regarded as better if done before

• why use a MAC?– sometimes only authentication is needed– sometimes need authentication to persist longer

than the encryption

Page 8: Authentication Function 2: Message Authentication Code

Uses of MAC

• Same message is broadcasts to a number of destinations.

eg. alarm signal in a military control server.• Time can be reduced in case of decrypting all incoming

messages.• It can save the processor resource and give assurance

of the integrity of the program

Page 9: Authentication Function 2: Message Authentication Code

MAC Properties

• a MAC is a cryptographic checksumMAC = CK(M)

– condenses a variable-length message M– using a secret key K– to a fixed-sized authenticator

• is a many-to-one function– potentially many messages have same

MAC

Page 10: Authentication Function 2: Message Authentication Code

Properties of MAC Function

• A MAC function is similar to encryption. But, it need not be reversible, as it must be for decryption.

• For n-bit MAC, there are 2n possible MACs. But there might be N >> 2n possible messages. So, it is a many-to-one function. – e.g. 100-bit messages and we use a 10-bit MAC.

There are 2100 different messages but only 210 different MACs. On average, each MAC represents 2100/210=290 different messages.

• It turned out that MAC is less vulnerable to be broken than encryption.

Page 11: Authentication Function 2: Message Authentication Code

Requirements for MAC Functions

• taking into account the types of attacks• Brute-force technique to discover the authentication key is as hard as

decryption without key– Suppose key size > MAC size (k>n). Given a known plaintext M1

and its MAC1=CK(M1):

• attacker may generate MACi=CKi(Mi) for all 2k keys. The opponent generates 2k MACs. But there are only 2n real MAC values.

• On average a total of 2k/2n=2(k-n) keys will produce a match

Page 12: Authentication Function 2: Message Authentication Code

Requirements for MAC Functions cont’

• and the opponent wouldn’t know which one is correct.• m round where k=m.n is needed to find the key.

• Need the MAC to satisfy the following:1. knowing a message and MAC, is infeasible to find another

message with same MAC2. MACs should be uniformly distributed3. MAC should depend equally on all bits of the message

Page 13: Authentication Function 2: Message Authentication Code

Hash Functions

• A one-way hash function can be used as the message authentication code.

• Other names: compression function, contraction function, message digest, fingerprint, cryptographic checksum, message integrity check (MIC), modification detection code (MDC).

• condenses arbitrary message to fixed size, H(M) • usually assume that the hash function is public and not keyed

– Contrary to the MAC which is keyed• hash used to detect changes to message• can use in various ways with message• most often to create a digital signature (when public/private key is

available)

Page 14: Authentication Function 2: Message Authentication Code

Hash Functions (I)

Page 15: Authentication Function 2: Message Authentication Code

Hash Functions (II)

Page 16: Authentication Function 2: Message Authentication Code

Hash Functions (III)

Page 17: Authentication Function 2: Message Authentication Code

Hash Functions (IV)

Page 18: Authentication Function 2: Message Authentication Code

Hash Functions (V)

S: Common secret value

(If attacker can do H-1(C)=S||M, then having also M, he can easily find S)

Page 19: Authentication Function 2: Message Authentication Code

Hash Functions (VI)

S: Common secret value

Page 20: Authentication Function 2: Message Authentication Code

Hash Function Properties

• a Hash Function produces a fingerprint of some file/message/data

h = H(M)• condenses a variable-length message M to a fixed-

sized fingerprint• assumed to be public

Page 21: Authentication Function 2: Message Authentication Code

Requirements for Hash Functions

1. can be applied to any sized message M2. produces fixed-length output h3. is easy to compute h=H(M) for any message M4. given h is infeasible to find x s.t. H(x)=h

• one-way property (level of effort needed by attacker ≈ 2m for hash code of length m)

5. given x is infeasible to find y s.t. H(y)=H(x)• weak collision resistance (level of effort needed 2m)

6. is infeasible to find any x,y s.t. H(y)=H(x)• strong collision resistance (level of effort needed 2m/2)

Page 22: Authentication Function 2: Message Authentication Code

Simple Hash Functions• are several proposals for simple functions• based on XOR of message blocks

– e.g. longitudinal redundancy check is a simple parity for each bit position Ci=bi1 bi2 … bim

• not secure since can manipulate bits (bij) in message that either not change hash code (C) or change the hash itself

• need a stronger cryptographic function (Chapter 12)

Page 23: Authentication Function 2: Message Authentication Code

The Secure Hash Algorithm (SHA-1)

SHA-1SHA-1

A message A message composed composed of b bitsof b bits

160-bit 160-bit message message digestdigest

Page 24: Authentication Function 2: Message Authentication Code

Step 1 -- Padding

Padding the total length of a padded message is multiple of 512

Every message is padded even if its length is already a multiple of 512

Page 25: Authentication Function 2: Message Authentication Code

Padding (cont.)

Message Message length1 zeros

64 bits

Multiple of 512

1 bit

Page 26: Authentication Function 2: Message Authentication Code

Padding (cont.)

Padding is done by appending to the input:A single bit, 1

Enough additional bits, all 0, to make the final 512 block exactly 448 bits long

A 64-bit integer representing the length of the original message in bits

Page 27: Authentication Function 2: Message Authentication Code

Example M = 01100010 11001010 1001 (20 bits)

Padding is done by appending to the input:A single bit, 1427 0sA 64-bit integer representing 20

Pad(M) = 01100010 11001010 10011000 … 00010100

Page 28: Authentication Function 2: Message Authentication Code

Example Length of M = 500 bits

Padding is done by appending to the input:A single bit, 1459 0sA 64-bit integer representing 500

Length of Pad(M) = 1024 bits

Page 29: Authentication Function 2: Message Authentication Code

Message Digest Generation Using SHA-1

Page 30: Authentication Function 2: Message Authentication Code

SHA-1 Processing of single 512-Bit Block

Page 31: Authentication Function 2: Message Authentication Code

SHA Overview1. pad message so that we have: length mod 512 = 448 or

equivalently length ≡ 448 (mod 512)2. append a 64-bit length value to message3. initialize 5-word (160-bit) buffer (A,B,C,D,E) to the following using

big-endian format:(67452301, efcdab89, 98badcfe, 10325476, c3d2e1f0)

4. process message in 16-word (512-bit) chunks:– expand 16 words into 80 words by mixing & shifting – use 4 rounds of 20 bit operations on message block & buffer – add output to input to form new buffer value

5. output hash value is the final buffer value

Page 32: Authentication Function 2: Message Authentication Code

Single 512-Bit Block Function in SHA-1

Page 33: Authentication Function 2: Message Authentication Code

Summary of SHA-1 Behavior

• The SHA-1 behaviour can be summarized as:– CV0 = IV– CVq+1= SUM32 [CVq, ABCDEq]– MD = CVL

• Where:– IV: Initial value (stored in ABCDE buffers)– ABCDEq: the output of the last round of processing in the qth 512-bit

block of the message– L: number of blocks in the message (including padding and the length

fields)– CVq: chaining variable processed with the qth block– SUM32: addition mod 232 performed separately on each word of the pair

of inputs– MD: final message digest value

Page 34: Authentication Function 2: Message Authentication Code

SHA-1 Compression Function

• each round has 20 steps which replaces the 5 buffer words thus:[A,B,C,D,E][(E+f(t,B,C,D)+S5(A)+Wt+Kt),A,S30(B),C,D]

• a,b,c,d refer to the 4 words of the buffer• t is the step number (0≤t≤79)• Sk: circular left-shift (rotation) of the 32-bit argument by k bits (same as

“<<< k”)• f(t,B,C,D) is a nonlinear function for round• Wt is derived from the message block • Kt is a additive constant value derived from integer part of 232 x i0.5 for

i=2,3,5,10.• All +’s are modulo 232 additions

Page 35: Authentication Function 2: Message Authentication Code

SHA-1 Compression Function

Circular Left Shift (rotation) by k bits

Page 36: Authentication Function 2: Message Authentication Code

Logical Functions f

• In terms of logical operations: – 0≤t≤19 f1= f(t,B,C,D)= BC + B’D– 20≤t≤39 f2= f(t,B,C,D)= B C D– 40≤t≤59 f3= f(t,B,C,D)= BC + BD + CD– 60≤t≤79 f4= f(t,B,C,D)= B C D

Page 37: Authentication Function 2: Message Authentication Code

Additive Constant Kt• Only 4 distinct constants are used:

Page 38: Authentication Function 2: Message Authentication Code

Hash Algorithms

Page 39: Authentication Function 2: Message Authentication Code

Hash Algorithms

• see similarities in the evolution of hash functions & block ciphers– increasing power of brute-force attacks– leading to evolution in algorithms– from DES to AES in block ciphers– from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash

algorithms• likewise tend to use common iterative structure

as do block ciphers

Page 40: Authentication Function 2: Message Authentication Code

MD5/MD4 Algorithm

Page 41: Authentication Function 2: Message Authentication Code

MD5

• designed by Ronald Rivest (the R in RSA – Rivest-Shamir-Adleman)

• latest in a series of MD2, MD4 • produces a 128-bit hash value• until recently was the most widely used hash algorithm

– in recent times have both brute-force & cryptanalytic concerns

• specified as Internet standard RFC1321

Page 42: Authentication Function 2: Message Authentication Code

MD5 Overview• Step 1: pad message so that we have: length mod 512 = 448 or equivalently length ≡ 448 (mod 512)

– The above makes the length of padded message to be 64 bits less than an integer multiple of 512 bits.

– Padding is always added even if the message is already of the desired length. e.g. if the message is 448 bits long, it is padded by 512 bits to a length of 960 bits.

– Number of padding bits is in range of 1 to 512 bits.– Padding is a single “1” followed by the necessary number of “0”s

• Step 2: append a 64-bit length value to message – This is K mod 264 where k is the length of message

Page 43: Authentication Function 2: Message Authentication Code

MD5 Overview (cont.)• Step 3: initialize 4-word (128-bit) MD buffer (A,B,C,D) to given

values:– A=67452301, B=EFCDAB89, C=98BADCFE, D=10325476 Save the values in little-endian format (the least significant byte of a

word in the low-address position)– Word A= 01 23 45 67, Word B= 89 AB CD EF, – Word C= FE DC BA 98 , Word D= 76 54 32 10

• Step 4: process message in 16-word (512-bit) blocks: – using 4 rounds of 16 bit operations on message block & buffer – add output to buffer input to form new buffer value

• Step 5: After all L 512-bit blocks have been processed the output from the Lth stage is the 128-bit message digest (hash code).

Page 44: Authentication Function 2: Message Authentication Code

MD5 Structure

Page 45: Authentication Function 2: Message Authentication Code

Single 512-bit (HMD5) Block

Page 46: Authentication Function 2: Message Authentication Code

Summary of MD5 Behavior• The MD5 behaviour can be summarized as:

– CV0 = IV– CVq+1= SUM32[CVq,RFI(Yq,RFH(Yq,RFG(Yq,RFF(Yq,CVq))))]– MD = CVL-1

• Where:– IV: Initial value (stored in ABCD buffers)– Yq: the qth 512-bit block of the message– L: number of blocks in the message– CVq: chaining variable processed with the qth block– RFx: round function using primitive logical function x– SUM32: addition mod 232 performed separately on each word of the pair

of inputs– MD: final message digest value

Page 47: Authentication Function 2: Message Authentication Code

MD5 Compression Function

• each round has 16 steps of the form: a = b + ((a + g(b,c,d) + X[k] + T[i]) <<< s)

• a,b,c,d refer to the 4 words of the buffer, but used in varying permutations– note this updates 1 word only of the buffer– after 16 steps each word is updated 4 times

• where g(b,c,d) is a different nonlinear function in each round (F,G,H,I) (see book for details)

• X[k]=M[q*16+k]=the kth 32-bit word in the qth 512-bit block of the message• T[i] is a constant value derived from sin, that is T[i] = 232 * abs[sin(i)] and can

be found in a lookup table (matrix T)• <<< s is circular shift of the 32-bit argument by s bits• All additions are modulo 232

Page 48: Authentication Function 2: Message Authentication Code

SHA-1 versus MD5

• brute force attack is harder (160 vs 128 bits for MD5)

• not vulnerable to any known attacks (compared to MD4/5)

• a little slower than MD5 (80 vs 64 steps) • both designed as simple and compact• optimized for big-endian CPU's (vs MD5 which is

optimised for little-endian CPU’s)

Page 49: Authentication Function 2: Message Authentication Code

Summary of SHA-384

Page 50: Authentication Function 2: Message Authentication Code

Summary of SHA-512