Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Similar presentations

Presentation on theme: "Information Security Principles & Applications Topic 4: Message Authentication 虞慧群"— Presentation transcript:

1 Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

2 Authentication Requirements - must be able to verify that: Message came from its alleged source or author, Contents have not been altered, Sometimes, it was sent at a certain time or sequence. Protection against active attack (falsification of data and transactions) Two levels for message authentication mechanism Lower level: authenticator – a value to be used to authenticate a message Higher level: an authentication protocol that enables a receiver to verify the authenticity of the message

3 Approaches to Message Authentication Authentication Using Conventional Encryption Only the sender and receiver should share a key Message Authentication without Message Encryption An authentication tag is generated and appended to each message Two ways Message Authentication Code (MAC) Hash function (or message digest)

4 Message Authentication Code generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible appended to message as a signature receiver performs same computation on message and checks it matches the MAC provides assurance that message is unaltered and comes from sender

5 Message Authentication Code Calculate the MAC as a function of the message and the key, i.e. MAC = F K (M)

6 MAC Properties a MAC is a cryptographic checksum MAC = F K (M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult

7 Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following: 1. knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message Approaches to constructing MACs Using DES HMAC

8 Hash Functions condenses arbitrary message to fixed size usually assume that the hash function is public and not keyed cf. MAC which is keyed hash used to detect changes to message can use in various ways with message most often to create a digital signature

9 Authentication Using Hash

10 Secret value is added before the hash and removed before transmission. Authentication Using Hash

11 Hash Function Properties a Hash Function produces a fingerprint of some file/message/data h = H(M) condenses a variable-length message M to a fixed-sized fingerprint Hash function assumed to be public

12 Requirements for Hash Functions 1. can be applied to any sized message M 2. produces fixed-length output h 3. is easy to compute h=H(M) for any message M 4. given h is infeasible to find x s.t. H(x)=h one-way property 5. given x is infeasible to find y s.t. H(y)=H(x) weak collision resistance 6. is infeasible to find any x,y s.t. H(y)=H(x) strong collision resistance

13 Secure Hash Functions and HMAC Secure Hash Functions Secure Hash Algorithm (SHA-1) NIST standard (FIPS 180-1), issued in 1995 Input: message length (<2 64 ); Output: 160-bit MD MD5 RIPEMD-160 HMAC Developing a MAC derived from a cryptographic hash code, such as SHA-1. Used in IP security, Transport Layer Security (TLS) and Secure Electronic Transaction (SET).

14 Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures will consider Kerberos – a private-key authentication service then X.509 directory authentication service

15 KERBEROS In Greek mythology, a many headed dog, the guardian of the entrance of Hades

16 KERBEROS Users wish to access services on servers. Three threats exist: User pretends to be another user. User alters the network address of a workstation. User eavesdrops on exchanges and uses a replay attack.

17 KERBEROS Provides a centralized authentication server to authenticate users to servers and servers to users. Relies on conventional encryption, making no use of public-key encryption Two versions: version 4 and 5 Version 4 makes use of DES

18 Kerberos Version 4 Terms: C = Client AS = authentication server V = server ID c = identifier of user on C ID v = identifier of V P c = password of user on C ADc = network address of C K v = secret encryption key shared by AS and V TS = timestamp || = concatenation

19 A Simple Authentication Dialogue (1) C  AS: ID c || P c || ID v (2) AS  C:Ticket (3) C  V: ID c || Ticket Ticket = E K v [ ID c || AD c || ID v] Two problems The number of times a user has to enter a password Plaintext transmission of the password

20 The Idea towards Solution Introducing a ticket-granting server (TGS) The user first requests a ticket-granting ticket (Ticket tgs ) from the AS; The user then authenticates itself to TGS for a ticket (Ticket v ) for accessing new service; The user finally authenticate itself to V for requesting a particular service.

21 Kerberos Version 4 Authentication Dialogue



24 Overview of Kerberos

25 Request for Service in Another Realm

26 Difference Between Version 4 and 5 Encryption system dependence (V.4 DES) Internet protocol dependence Message byte ordering Ticket lifetime Authentication forwarding Interrealm authentication

27 Kerberos Encryption Techniques

28 PCBC Mode

29 Kerberos - in practice Currently have two Kerberos versions: 4 : restricted to a single realm 5 : allows inter-realm authentication, in beta test Kerberos v5 is an Internet standard specified in RFC1510, and used by many utilities To use Kerberos: need to have a KDC on your network need to have Kerberised applications running on all participating systems major problem - US export restrictions Kerberos cannot be directly distributed outside the US in source format (& binary versions must obscure crypto routine entry points and have no encryption) else crypto libraries must be reimplemented locally

30 X.509 Authentication Service Distributed set of servers that maintains a database about users. Each certificate contains the public key of a user and is signed with the private key of a CA. Is used in S/MIME, IP Security, SSL/TLS and SET. RSA is recommended to use.

31 X.509 Formats

32 Obtaining a User ’ s Certificate Characteristics of certificates generated by CA: Any user with access to the public key of the CA can recover the user public key that was certified. No part other than the CA can modify the certificate without this being detected.

33 X.509 CA Hierarchy

34 Revocation of Certificates Reasons for revocation: The users secret key is assumed to be compromised. The user is no longer certified by this CA. The CA ’ s certificate is assumed to be compromised.

35 Authentication Procedures

36 Summary have considered: message authentication using message encryption MACs hash functions Kerberos X.509 Authentication Service

37 A Quiz In a public-key system using RSA, you intercept the ciphertext C = 10 sent to a user whose public key e = 5, n = 35. What is the plaintext M?

Download ppt "Information Security Principles & Applications Topic 4: Message Authentication 虞慧群"

Similar presentations

Ads by Google