Message Authentication and Hash Functions

4/10/2011

Authentication Requirements 

Kind of attacks (threats) in the context of communications across a network  Disclosure Traffic analysis (discover the pattern) source) Masquerade (insert a message from a fraudulent source) Content modification (insert, delete, delete, reorder reorder)) Sequence modification (insert, Timing modification (delay or replay) 7. Source Source Repudiation Repudiation (denial of a transmission) 8. Destination Repudiation (denial of a receipt) 1. 2. 3. 4. 5. 6.



Measures to deal with first two attacks: address essed ed with with  In the realm of message confidentiality, and are addr encryption





Measures to deal with items 3 thru 6  Message authentication Measures to deal with items 7 and 8 

Digital signature

Authentication Requirements 

Message authentication A

procedure to verify that messages come from the alleged source and have not been altered Messag agee auth authen enti tica cati tion on may may also also verif erifyy sequ sequen enci cing ng and and  Mess timeliness 

Digital signature authentication technique that also includes measures to counter repudiation by either source or destination

 An

Mukesh Chinta Asst Prof CSE VNRVJIET

1

4/10/2011

Authentication Functions 

Message authentication or digital signature mechanism can be viewed as having two levels  authenticator and High level authentication protocol



Thr Three clas classe sess of func functi tion onss can can be used used to prod produc ucee an authenticator Message

encryption Ciphertext itself serves as authenticator cod e (MAC) Message authentication code A public function of the message and a secret key that produces a fixed-length value that serves as the authenticator Hash function A public function that maps a message of any length into a fixedlength hash value, which serves as the authenticator authenticator 





Message Encryption 

Conventional Conventional encryption can serve as authenticator authenticator 



Conve Conventio ntional nal encryp encryptio tionn prov provide idess authentication as well as confidentiality 

if symmetric encryption is used then:  receiver

knows sender must have created it  knows content cannot be altered, if message has suitable structure, redundancy or a checksum to detect any changes 

if public-key public-key encryption is used: confidentiality, but not  encryption provides confidentiality,

authentication  can provide authentication as well as signature, but at the cost of  two public key key uses on the message.

Mukesh Chinta Asst Prof CSE VNRVJIET

2

4/10/2011

Basic Uses of Message Encryption

Ways of Providing Structure 

Append an error-detecting code (frame (frame check check sequence (FCS)) to each message

Mukesh Chinta Asst Prof CSE VNRVJIET

3

4/10/2011

Implications Implicat ions of Message Encryption

Message Authentication Code 

Uses a shared secret key to generate a fixed-size block of data (kno (known wn as a cryp crypto togr grap aphi hicc chec checks ksum um or MAC) MAC) tha that is appended to the message



MAC = CK(M)



Assurances:   



Message has not been altered  Message is from alleged sender  Message sequence is unaltered (requires internal sequencing)

Simi Simila larr to encry encrypt ptio ionn but but MAC MAC algor algorit ithm hm need need not not be reversible

Mukesh Chinta Asst Prof CSE VNRVJIET

4

4/10/2011

Basic Uses of MAC

Basic Uses of MAC

Mukesh Chinta Asst Prof CSE VNRVJIET

5

4/10/2011

Where MAC’s are used?? 







In applications where the same message is broadcast to a number of destinations, it is sent in plaintext with associated MAC to prove authentication. Situations where authentication cannot be done for every message, but on on selective messages Authentication of a computer program in plaintext is very attractive and also proves proves integrity In applications where the message need not be kept secret, but it is very important to authenticate messages

Hash Function 





Accepts Accepts a variable-s variable-size ize message M as input and produces produces a fixedfixedsize hash code H(M){ some times called message digest} as output The hash code is a function of all the bits of the message and provides an error-detection capability. capability. Can be used with encryption for authentication      

E(M || H) M || E(H) M || signed H E( M || signed H ) gives confidentiality M || H( M || K ) E( M || H( M || K ) )

Mukesh Chinta Asst Prof CSE VNRVJIET

6

4/10/2011

Basic Uses of Hash Function

Basic Uses of Hash Function

Mukesh Chinta Asst Prof CSE VNRVJIET

7

4/10/2011

Basic Uses of Hash Function

Requirements for MAC Functions 

Assume that an opponent knows the MAC function C but does not know K. Then the MAC function should have the following properties MAC= CK(M)

1. Given M and Ck(M), it must be computationally infeasible to

construct M’ s.t. Ck(M’) = Ck(M) 2. CK(M) should be uniformly distributed in the sense that for any

M and M’, Pr[Ck(M) = Ck(M’)] should be 2-n, where n is the length of the MAC MAC transformation on on M. That is, 3. Let M’ be equal to some known transformati M’ = f(M).

In that case,

Mukesh Chinta Asst Prof CSE VNRVJIET

Pr[Ck(M) = Ck(M’)] = 2-n,

8

4/10/2011

MAC Based on DES Uses CBC mode of operation of DES with IV = 0





Referred to as Data Authentication Authentication Algorithm (FIPS PUB 113 and ANSI ANSI standard (X9.17)) ON = EK(DN XOR ON-1)



Data Authentication Code (DAC) consists of 16 to 64 leftmost bits of O N

Hash Functions 



 



h = H(M) M is a variable-length message, h is a fixed-length hash value, H is a hash function The hash value is appended at the source The receiver authenticates the message by recomputing the hash value Beca Becaus usee the the hash hash func functio tionn itse itself lf is not not cons consid ider ered ed to be secret, some means is required to protect protect the hash value

Mukesh Chinta Asst Prof CSE VNRVJIET

9

4/10/2011

Hash Function Requirements 1. H can be applied to any size data block 2. H produces fixed-length output 3. H(x) is relatively relatively easy to compute for any given x

computationally infeasible to 4. H is one-way , i.e., given h, it is computationally find any any x s.t. h = H(x) 5. H is weakly collision resistant : given x, it is computationally

infeasible to find any y  x s.t. H(x) = H(y) 6. H is strongly collision resistant : it is computationally computationally infeasible to find any any x and y s.t. H(x) = H(y) H(y)

Hash Function Requirements 

One-way One-way property is essential for authentication



Weak collision resistance is necessary to prevent forgery



Strong Strong collis collision ion resis resistan tance ce is importa important nt for resist resistan ance ce to birthday attack

Mukesh Chinta Asst Prof CSE VNRVJIET

10

4/10/2011

HASH Algorithms



MD5 Message Digest Algorithm Algorithm



Secure Hash Algorithm (SHA-1 and SHA-512)



RIPEMD-160



HMAC

Hash Algorithm Structure 



The hash algorithm involves repeated use of a compression function, f, that takes two inputs(an n-bit input from the previous previous step and a b-bit block) and produces an n-bit output The final value of the chaining variable is the hash value.

Mukesh Chinta Asst Prof CSE VNRVJIET

11

4/10/2011

MD5 Message Digest Algorithm    

Developed by Ron Rivest at MIT Input: a message of arbitrary a rbitrary length Output: 128-bit message digest 32-bit word units, 512-bit blocks

MD5 Logic 

Step 1: Append padding bits 







Padded so that its bit length  448 mod 512 (i.e., the length of padded message is 64 bits less than an integer multiple of 512 bits) Padding is always added, even if the message is already of the desired length (1 to 512 bits) Padding bits: 1000….0 (a single 1 -bit followed by the necessary number of 0 -bits)

Step 2: Append length 

  

64-bit length: contains the length length of the original message message modulo 264

The expanded message is Y 0, Y1, …, YL-1; the total length is L  512 bits The expanded message message can be thought of as as a multiple of 16 32-bit words Let M[0 … N-1] N-1] denote the word of the resulting message, where N = L  16

Mukesh Chinta Asst Prof CSE VNRVJIET

12

4/10/2011

MD5 Logic 

Step 3: Initialize MD buffer 



128-bit buffer (four 32-bit registers A,B,C,D) is used to hold intermediate and final results of the hash function A,B,C,D are initialized to the following values  

A = 67452301, B = EFCDAB89, C = 98BADCFE, D = 103254 76 Stored in little-endian format (least significant byte of a word in the lowaddress byte position) 



E.g. word A: 01 23 45 67 (low address … high address)

Step 4: Process message in 512-bit (16-word) blocks 

Heart of the algorithm called a compression function



Consists of 4 rounds









The 4 rounds have a similar structure, but each uses a different primitive logical functions, referred to as F, G, H, and I Each round takes as input the current 512-bit block (Yq), 128-bit buffer value ABCD and updates the contents of the buffer Each round also uses the table T[1 … 64], constructed from the sine function; T[i] = 232  abs(sin(i)) The output of 4th round is added to the CV q to produce CVq+1



MD5 processing of a single 512- bit block

Mukesh Chinta Asst Prof CSE VNRVJIET

13

4/10/2011

MD5 Logic 

Table T, constructed from the sine function –  T[i] = integer part of 2 32  abs(sin(i)), where i is in radians

MD5 Logic 

Step 5: Output 



After all L 512-bit blocks have been processed, the output from the Lth stage is the 128-bit message digest

CV 0 = IV  CV q+1 = SUM 32(CV q, RFI [Y q, RFH [Y q, RFG[Y q, RFF[Y q, CV q]]]) MD = CV L where IV

= initia initiall value value of the ABCD ABCD buffe buffer, r, define defined d in step step 3

Yq

= the qth 512-bit block of the message

L

= the number number of block blockss in the mess messag agee (inclu (includin ding g paddin padding g and length fields)

CVq

= chaining variable processed with the q th block of the message

RFx

= round function using primitive logical function x

MD

= final final mess messag agee diges digestt value value

SUM32 = addition modulo 2 32 performed separately on each word

Mukesh Chinta Asst Prof CSE VNRVJIET

14

4/10/2011

MD5 Compression Function 



Each round consists of a sequence of 16 steps operating on the buffer ABCD Each step is of the form a b + (( a + g(b, c, d) + X[k] + T[i]