ch11

1Message Authentication and Hash Functions

Cryptography & Network Security H. Yoon

Chap 11.

Message Authentication and Hash Functions



Authentication Requirements

• Kind of attacks in the context of communications across a network1. Disclosure2. Traffic analysis3. Masquerade4. Content modification5. Sequence modification6. Timing modification7. Source repudiation8. Destination repudiation

Confidentiality

Message Authentication Digital

Signature

Specialized Digital Signature

Authentication Requirements



• Message authentication– A procedure to verify that received messages come from the

alleged source and have not been altered– Message authentication may also verify sequencing and

timeliness

• Digital signature– An authentication technique that also includes measures to

counter repudiation by the source

Authentication RequirementsAuthentication Requirements



Authentication Functions• Message authentication or digital signature

mechanism can be viewed as having two levels– At lower level: there must be some sort of functions producing an

authenticator – a value to be used to authenticate a message– This lower level functions is used as primitive in a higher level

authentication protocol

• Three classes of functions that may be used to produce an authenticator– Message encryption

» Ciphertext itself serves as authenticator– Message authentication code (MAC)

» A function of the message and a secret key that produces a fixed-length value that serves as the authenticator

– Hash function» A function that maps a message of any length into a fixed-

length hash value that serves as the authenticator

Authentication Functions



Message Encryption

• Symmetric encryption can serve as authenticator– Symmetric encryption provides authentication as well as

confidentiality– Requires recognizable plaintext or other structure to distinguish

between well-formed legitimate plaintext and meaningless random bits» e.g., ASCII text, an appended checksum, or use of layered

protocols

• Public-key encryption also can serve as authenticator




Basic Uses of Message EncryptionAuthentication Functions




Basic Uses of Message Encryption



Basic Uses of Message Encryption



Ways of Providing Structure - 1• Append an error-detecting code (frame check sequence

(FCS) or checksum) to each message before encryption




Message Authentication Code

• Uses a shared secret key to generate a fixed-size block of data (known as a cryptographic checksum or MAC) that is appended to the message

• MAC = CK(M), where C is a MAC function

• Assurances:– Message has not been altered– Message is from the alleged sender– Message sequence is unaltered (requires internal sequencing)

• Similar to encryption but MAC algorithm need not be reversible




Basic Uses of MACAuthentication Functions



Basic Uses of MACAuthentication Functions



Why Use MACs?

• Why not just use encryption?– Cleartext stays clear– MAC might be cheaper– Sometimes only authentication is needed

» Broadcast» Authentication of executable codes

– Sometimes need authentication to persist longer than the encryption (e.g., archival use)

– Separation of authentication and confidentiality provides architectural flexibility

• MAC does not provide a digital signature– Because both sender and receiver share the same key




Hash Function

• One-way hash function – Converts a variable size message M into fixed size hash code

H(M) (Sometimes called a message digest)– Unlike the MAC, a hash code does not use a key but is a

function only of the input message– Provides message integrity

• Can be used with encryption or a shared key for authentication– E(M || H(M)) : identical to the internal error control strategy– M || E(H(M)) : a MAC– M || signed H : typical digital signature – E(M || signed H)– M || H(M || K) : keyed hash (no encryption)– E(M || H(M || K))





Basic Uses of Hash Function











Message Authentication Codes

• MAC = CK(M)– M is a variable-length message– K is a key shared only by sender and receiver – MAC is the fixed-length authenticator

• Key length requirements– Sufficient key length to thwart brute-force attack– On average, require 2k-1 attempts for a k-bit key

MACs



Brute-force Attacks on MACs• Let k = key length, n = MAC length• Suppose confidentiality is not employed;

i.e., the opponent has access to plaintext messages and their associated MACs

• If k > n– Brute force gives 2(k-n) candidate keys

» Given a known M1 and MAC1, with MAC1 = CK1(M1), the cryptanalyst can perform MACi = CKi(M1) for all possible key values Ki.

» At least one key is guaranteed to produce a match » On average, a total of 2k/2n = 2(k-n) keys will produce a match

– Second round (a new M and MAC) reduces this to 2(k-2n) candidate keys

– On average, this requires k/n rounds

• If k n, one round should suffice

MACs



Attacks on MACs• Other attacks are possible, depending on the MAC

algorithm

• E.g., consider the following MAC algorithm– Let M = (X1 || X2 || … || Xm) be a message that is treated as a

concatenation of 64-bit blocks Xi

– Define (M) = X1 X2 Xm; CK(M) = EK[(M)]

• The opponent can attack the system as follows:– Replace Xi by Yi for i = 1 to m-1– Calculate Ym to produce the right checksum, and replace Xm by Ym

» Ym = Y1 Y2 Ym-1 (M) – The new message, Y1 thru Ym, with the original MAC will be

accepted as authentic by the receiver– With this tactic, any message of length 64 (m-1) bits can be

fraudulently inserted

MACs



Requirements for MAC Functions

• Assume that an opponent knows the MAC function C but does not know K. Then the MAC function should have the following properties:

1. Given M and Ck(M), it must be computationally infeasible to construct M’ s.t. Ck(M’) = Ck(M)

2. CK(M) should be uniformly distributed in the sense that for any M and M’, Pr[Ck(M) = Ck(M’)] should be 2-n, where n is the length of the MAC

3. Let M’ be equal to some known transformation on M. That is, M’ = f(M). In that case, Pr[Ck(M) = Ck(M’)] = 2-n.

MACs



MAC Based on DES (CBC-MAC)• Last block of CBC mode of DES, with IV = 0• Referred to as Data Authentication Algorithm (FIPS

PUB 113 and ANSI standard (X9.17))– Security weaknesses have been discovered and it is being

replaced (refer to Chap.12 CMAC)• Data Authentication Code (DAC) consists of 16 to 64

leftmost bits of ON

MACs



Hash Functions

• h = H(M)– M is a variable-length message– h is a fixed-length hash value– H is a hash function

• The hash value is appended at the source• The receiver authenticates the message by

recomputing the hash value• Because the hash function itself is not considered

to be secret, some means is required to protect the hash value

Hash Functions



Hash Function Requirements

1. H can be applied to any size data block2. H produces fixed-length output3. H(x) is relatively easy to compute for any given x4. H is one-way, i.e., given h, it is computationally

infeasible to find any x s.t. h = H(x)5. H is weakly collision resistant: given x, it is

computationally infeasible to find any y x s.t. H(x) = H(y)

6. H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y)

Hash Functions



Simple Hash Functions• Operation of hash functions

– The input is viewed as a sequence of n-bit blocks– The input is processed one block at a time in an iterative fashion to

produce an n-bit hash function

• Simplest hash function: Bitwise XOR of every block– Ci = bi1 bi2 … bim

» Ci = i-th bit of the hash code, 1 i n» m = number of n-bit blocks in the input» bij = i-th bit in j-th block

– Known as longitudinal redundancy check– Not useful as a one-way function– Less effective in some cases

» E.g., if only 7-bit out of 8-bit characters is used in text files, the 128-bit hash value is effectively 112-bit

• We will encounter strong hash functions in Chap.12

Hash Functions



Simple Hash FunctionsHash Functions

• Improvement over the simple bitwise XOR (Rotated XOR)– Initially set the n-bit hash value to zero– Process each successive n-bit block of data as

» Rotate the current hash value to the left by one bit

» XOR the block into the hash value

• Effect on “randomizing” the input

ch11

Documents