Presentation on theme: "453 Network Security Section 3a: Message Authentication and Public-Key Cryptography Dr. E.C. Kulasekere Sri Lanka Institute of Information Technology -"— Presentation transcript:
453 Network Security Section 3a: Message Authentication and Public-Key Cryptography Dr. E.C. Kulasekere Sri Lanka Institute of Information Technology - 2006
Outline Message authentication vs. message confidentiality. Both required? Authentication methods –Hash functions –Secure hash function –Message authentication code (MAC) Public-key cryptography principles. Public-key cryptography algorithms. Digital signatures / implementation. Key management techniques.
Cryptography and Security Intruders, eavesdroppers and masqueraders in communication. A threat on message confidentiality and authentication
Confidentiality Vs. Authentication (1) Confidentiality safeguards your information from being viewed by others. This is protecting message content. Stop interception. Authentication verifies the integrity of data as well as verifying the sender. This can stop fabrication/Modification
Confidentiality Vs. Authentication (2) Authentication is arguably more important that message confidentiality (secrecy) in eCommerce applications. Generically encryption protects against passive attacks such as eavesdropping. Authentication provides protection against active attacks such as falsification and fabrication of data.
Authentication Without Confidentiality Is it desirable only to have authentication while ignoring message confidentiality? Example situation; civilian email versus military email. There are applications in which the same message is broadcast to a number of destinations. The content need not be secret but they need to be authenticated. Eg. ?
Example Situations Another scenario is if a system is handling a heavy load of messages and it cannot afford to spend time decrypting. The system will selectively decrypt to authenticate. Authentication of computer programs etc. Each time you use it its easier to authenticate a tag rather than go through a decryption program every time.
Primary Concerns of Authentication (1) Message came from apparent source or author – Source Authentication Contents have not been altered – Message Authentication Message timeliness or the sequence in which it was sent is not disturbed (it has not been artificially delayed or replayed).
Primary Concerns of Authentication (2) The above will be based on attacks such as –Disclosure –Traffic analysis –Masquerading –Fabrication –Sequence and timing modifications
Approaches to Message Authentication Broadly categorized into two methods, ones that uses encryption and ones that do not. Approaches –One that uses a key and encryption of message –One that does not use a key. –One that uses a key but no encryption of the message
Authentication Categories Authentication using conventional encryption: Only the sender and receiver should share a key which will provide the necessary authentication. Message authentication without message encryption: An authentication tag is generated and attached to the message. Message confidentiality is not guaranteed since the message is not encrypted. Message Authentication code: Calculate the MAC as a function of the message and the key.
Authentication Based on Message Encryption message encryption by itself also provides a measure of authentication. The analysis differs for symmetric and asymmetric encryption schemes. if symmetric encryption is used then: –receiver know sender must have created it –since only sender and receiver now key used –know content cannot of been altered –if message has suitable structure, redundancy or a checksum to detect any changes
Authentication Based on Message Encryption … Symmetric encryption: confidentiality and authentication provided
Authentication Based on Message Encryption … if public-key encryption is used: –encryption provides confidentiality but not authentication of sender –since anyone potentially knows public-key –however if sender signs message using their private-key then encrypts with recipients public key have both secrecy and authentication –again need to recognize corrupted messages Measure of error control can be used. –but at cost of two public-key used on message
Authentication Based on Message Encryption … This is the straightforward use of public key encryption. Source A uses the public key KU b of the destination to encrypt M This scheme does not provide any authentication because any opponent could also use B’s public key to encrypt a message claiming to be A B can decrypt at the destination because he is the only one who has the private key KR b
Authentication Based on Message Encryption … To provide the authentication part A uses its private key to encrypt the message, and B uses A’s public key to decrypt to authenticate. The principle here is similar to the digital signature principle. The reasoning is that A should be the only one who as A’s private key to generate that ciphered text. However this does not provide confidentiality since anyone with A’s public key can decrypt and see the message.
Authentication Based on Message Encryption … To provide both confidentiality and authentication, A can encrypt M first using its private key (the digital signature), then use B’s public key which will provide confidentiality. The only disadvantage is that the public key algorithm, which is complex must be exercises four times rather than two in each communication.
Authentication Based on Message Authentication Code (MAC) generated by an algorithm that creates a small fixed-sized block –depending on both message and some key –like encryption though need not be reversible receiver performs same computation on message and checks it matches the MAC. (Note that the MAC is not decoded hence cannot be used for anything). provides assurance that message is unaltered and comes from sender
Requirements for MAC Take into account the type of attacks –Brute force attack may not be feasible to attack MAC code. –See MAC write-up for reasons Need a MAC to satisfy the following –knowing a message and MAC, is infeasible to find another message with same MAC –MACs should be uniformly distributed. –MAC should depend equally on all bits of the message.
Features of MAC As shown the MAC provides confidentiality. The receiver is assured that the message is not altered. The attacker cannot alter the message without altering the MAC. Since the secret key is not known MAC cannot be altered and will be found out at matching at receiver. As a result the receiver is assured that it came from the sender.
Features of MAC … can also use encryption for secrecy –generally use separate keys for each –can compute MAC either before or after encryption –is generally regarded as better done before The message sequence number is also coded into the MAC, hence replay attacks and timing attacks are also not possible.
Features of MAC … why use a MAC? –sometimes only authentication is needed –sometimes need authentication to persist longer than the encryption (eg. archival use) Note that MAC is not a digital signature, rather a cryptographic checksum.
MAC Implementations Message Authentication and Confidentiality: Authentication Tied to plaintext
MAC Implementations Message Authentication and Confidentiality: Authentication Tied to ciphertext
MAC Based on DES 1.Based on CBC with IV set to zero 2.Block size is 64. The last block may be padded with zeros to make a 64-bit block 3.The data authentication code (DAC) consists of all O_N blocks or the last one. It can also be the left most M bits of the last block too. Remember that the MAC need not be reversible as in the case of encryption. We need to compare only.
Authentication Based on Hash (1) Variation of MAC known as one way hash functions can be used for authentication. Unlike the MAC, the hash function does not require a secret key. The Hash function accepts a variable size message and outputs a fixed size message digest H(M).
Authentication Based on Hash (2) To authenticate a message, the message digest is sent with the message in such a way that the message digest is authentic. hash used to detect changes to message can use in various ways with message –Using conventional encryption –Using public-key encryption –Using secret value Hash function itself is not considered to be secret. Hence systems described in the previous slides or the ones that follow have to be used to protect the hash.
Based on the assumption that only the sender and receiver have the secret key. Hence authenticity is assured. The entire message is not encrypted. One way Hash Authentication using Conventional Encryption
One-Way Hash Function Authentication Using Public-Key Encryption This will provide a digital signature as well as message authentication. Advantage is that it does not require the distribution of keys to communicating parties. The entire message is not encrypted.
One-Way Hash Function Authentication Using Secret Value No encryption for message authentication. The communicating parties share a common secret value that is coded into the message. Since the secret value itself is not sent, it is hard for the attacker to modify the intercepted message. Authentication is provided but no confidentiality is provided.
Variants of Hash Functions: Encrypt Message Plus Hash Code Both message and hash code encrypted. The message must have come from A if it is not altered (checked using hash) since only A and B have access to the secret key. Confidentiality is provided since the encryption is applied to both hash + normal message.
Variants of Hash Functions: Encrypted Hash Code – Shared Key Only hash code is encrypted using symmetric encryption. Authentication is provided but not confidentiality. Reduces processing burden for applications that do not require confidentiality.
Variants of Hash :Encrypt Hash Code Sender’s private key Only hash code is encrypted using the senders private key with public-key encryption. Authentication is provided but not confidentiality. Provides a digital signature.
Variants of Hash Functions: Encrypt Results of (c) – Shared secret key Message and the public-key encrypted hash code is encrypted using symmetric key. Confidentiality and digital signature is provided.
Variants of Hash Functions: Compute Hash Code of Message Plus Secret Value Assumes parties communicating have the secret value. No encryption. Source A computes the hash code over the concatenation of M and S and appends the result to M. Authentication is provided.
Variants of Hash Functions: Encrypt Result of (e) Confidentiality is added to the approach in (e) using symmetric key encryption.