Presentation on theme: "Information Security and Management 11"— Presentation transcript:
1 Information Security and Management 11 Information Security and Management Message Authentication and Hash FunctionsChih-Hung WangSep. 2008
2 Message Authentication Authentication RequirementPossible attacks on the networkDisclosureTraffic analysisMasqueradeContent modificationSequence modificationTiming modificationSource repudiationDestination repudiation
3 Authentication Functions Message encryptionThe ciphertext of the entire message serves as its authenticatorMessage authentication code (MAC)A public function of the message and a secret key that produces a fix-length value that serves as the authenticatorHash FunctionA public function that maps a message of any length into a fixed-length hash value, which serves as the authenticator
4 Message Encryption (A) Conventional encryption: confidentiality and authentication
14 MAC (1)The use of a secret key to generate a small fixed-size block of dataThat is appended to the messageA MAC function is similar to encryption. One difference is that MAC algorithm need not be reversibleIt is less vulnerable to being broken than encryption
15 MAC (2)Three situations in which a message authentication code is usedThe same message is broadcast to a number of destinationsIt is cheaper and more reliable to have only one destination responsible for monitoring authenticityAn exchange: one side has a heavy load and cannot afford the time to decrypt all incoming message.Message being chosen at random for checkingAuthentication of a computer program in plaintext is an attractive serviceThe computer program can be executed without having to decrypt it every time
16 MAC (3) Other rationales For some applications, it may not be concern to keep message secret, but it is important to authenticate messageSNMPv3:separates the functions of confidentiality and authenticationSeparation of authentication and confidentiality functions affords architectural flexibilityPerform authentication at the application level but to provide confidentiality at a lower levelA user may wish to prolong the period of protection beyond the time of reception and yet allow processing the message content
21 MAC FunctionA MAC function is similar to encryption. One difference is that the MAC algorithm need not be reversible, as it must for decryption.In general, the MAC function is a many-to-one function. If an n-bit MAC is used, then there are 2n possible MACs, whereas there are N possible messages with N>>2n.
23 Requirements for MACs (2) Taking into account the types of attacksNeed the MAC to satisfy the following:Knowing a message and MAC, is infeasible to find another message with same MACIf we assume that the opponent does not know k but does have access to the MAC function and can present messages for MAC generation, then the opponent could try various messages until finding one that matches a given MAC. MACs should be uniformly distributed. A brute-force method would require, on average, 2(n-1) attempts.The MAC should not be weaker with respect to certain parts or bits of the message than others.
24 Using Symmetric Ciphers for MACs Can use any block cipher chaining mode and use final block as a MACData Authentication Algorithm (DAA) is a widely used MAC based on DES-CBCusing IV=0 and zero-pad of final blockencrypt message using DES in CBC modeand send just the final block as the MACor the leftmost M bits (16≤M≤64) of final blockbut final MAC is now too small for security
25 DACData Authentication Code (FIPS PUB 113 and ANSI standard X9.17)
26 Hash Function Definition A hash function accepts a variable-size message M as input and produces a fixed-size hash code H(M)Sometime called a message digestHash AlgorithmMD5RFC developed by Ron Rivist at MITSecure Hash Algorithm (SHA)FIPS PUB 180 in 1993 (NIST) in 1995FISP: Federal Information Processing Standard
27 Hash FunctionPlaintextMMessage DigestHash value H(M)
28 Requirements of Hash H can be applied to a block of data of any size H produces a fixed-length outputH(x) is relatively easy to compute for any given x, making both hardware and software implementations practicalFor any given code h, it is computationally infeasible to find x such that H(x)=h. This is sometimes referred to in the literature as the one-way propertyFor any given block x, it is computationally infeasible to find yx with H(y)=H(x). This is sometimes referred to as weak collision resistanceIt is computationally infeasible to find any pair (x,y) such that H(x)=H(y). This is sometimes referred to as strong collision resistance.
29 Requirements of Hash m1 m2 H(m1) H(m2) It is difficult to find m1 and m2 (m1 m2) such that H(m1)=H(m2)
35 SHA-1 LogicAppend padding bits: pad message so its length is 448 mod 512Append length: append a 64-bit length value to messageInitialize MD buffer: initialise 5-word (160-bit) buffer (A,B,C,D,E) to( ,efcdab89,98badcfe, ,c3d2e1f0)Process message in 512-bit (16-word) blocks:expand 16 words into 80 words by mixing & shiftinguse 4 rounds of 20 bit operations on message block & bufferadd output to input to form new buffer valueOutput: output hash value is the final buffer value
36 SHA-1 Compression Function Each round has 20 steps which replaces the 5 buffer words thus:(A,B,C,D,E) <-(E+f(t,B,C,D)+S5(A)+Wt+Kt),A,S30(B),C,D)A,B,C,D,E refer to the 5 words of the buffert is the step number, 0 t 79f(t,B,C,D) is nonlinear function for roundWt is derived from the message blockKt is an additive constant valueSk is circular left shift by k bits
41 Comparison of SHA-1 and MD5 Brute force attack for SHA-1 is harder (160 vs 128 bits for MD5)SHA-1 is not vulnerable to any known attacks (compared to MD4/5) ??(Speed) SHA-1 is a little slower than MD5 (80 vs 64 steps)Both designed is simple and compactSHA-1 uses big endian scheme (MD5 uses little endian scheme)
42 Revised Secure Hash Standard NIST have issued a revision FIPS and adds 3 additional hash algorithms: SHA-256, SHA-384, SHA-512.Designed for compatibility with increased security provided by the AES cipherStructure & detail are similar to SHA-1 and hence analysis should be similar.