CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.

Slides:



Advertisements
Similar presentations
Hashes and Message Digests
Advertisements

Lecture 5: Cryptographic Hashes
Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptographic Hash Functions Rocky K. C. Chang, February
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
1 Information System Security AABFS-Jordan Summer 2006 Digital Signature and Hashing Functions Prepared by: Maher Abu Hamdeh & Adel Hamdan Supervised by:
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 13 Message Signing
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Chapter 31 Network Security
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
HASH Functions.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Hash and MAC Algorithms Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther Aldwairi.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
Chapter 31 Cryptography And Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
12.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 12 Cryptographic Hash Functions.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Hash and MAC Functions CS427 – Computer Security
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
12.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 12 Cryptographic Hash Functions.
1 Network Security Lecture 5 Hashes and Message Digests Waleed Ejaz
Hash and Mac Algorithms. Contents Hash Functions Secure Hash Algorithm HMAC.
Chapter 4 Message Authentication MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Cryptographic Hash Functions and Protocol Analysis
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.
Cryptographic Hash Functions
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Message Authentication Codes CSCI 5857: Encoding and Encryption.
12.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 12 Cryptographic Hash Functions.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 12.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Chapter 12 – Hash Algorithms
Message Integrity and Message Authentication
NET 311 Information Security
ICS 454 Principles of Cryptography
ICS 454 Principles of Cryptography
Cryptographic Hash Functions
The Secure Hash Function (SHA)
Presentation transcript:

CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication and Hash Function

13. Message Authentication CS480_W Outline r Introduction to message integrity and authentication r MDC and MAC r General ideas behind cryptographic hash functions r Merkle-Damgard scheme as the basis for iterated hash functions r A cryptographic hash function: SHA-512

13. Message Authentication CS480_W Message integrity r The cryptography systems that we have studied so far provide secrecy, or confidentiality, but not integrity. r However, there are occasions where we may not even need secrecy but instead must have integrity m Everyone is allowed to read a message m But no one is allowed to modify it

13. Message Authentication CS480_W Message and Message Digest r The message is passed through a cryptographic hash function r The function creates a compressed image of the message r The compressed image, called message digest, can be used like a fingerprint

13. Message Authentication CS480_W Checking Integrity r Run the cryptographic hash function again r Compare the new message digest with the previous one m If the they match, the original message is not modified

13. Message Authentication CS480_W Cryptographic Hash Function Criteria r A cryptographic hash function must satisfy three criteria: m preimage resistance m second preimage resistance m collision resistance.

13. Message Authentication CS480_W Message authentication r The digest created by a cryptographic hash function is normally called a modification detection code (MDC) r A message digest does not authenticate the sender of the message r To provide message authentication, Alice needs to provide proof that it is Alice sending the message and not an impostor. r What we need for message authentication is a message authentication code (MAC).

13. Message Authentication CS480_W Modification Detection Code (MDC)

13. Message Authentication CS480_W Message Authentication Code (MAC) r To ensure the integrity of the message and the data origin authentication, we need to use MAC r The difference between MDC and MAC is m MAC includes a key shared between Alice and Bob

13. Message Authentication CS480_W Message Authentication Code (MAC)

13. Message Authentication CS480_W Nested MAC r Nested MACs are designed to improve the security of a MAC r Two steps m The key is concatenated with the message and is hashed to create an intermediate digest m The key is concatenated with the intermediate digest to create the final digest

13. Message Authentication CS480_W Nested MAC

13. Message Authentication CS480_W HMAC r HMAC is a standard for a nested MAC r Steps 1. The message is divided into N blocks, each of b bits 2. K is left padded with 0’s to create a b-bit key 3. The result of step 2 is XORed with a constant (ipad) to create a b- bit block 1.Ipad is b/8 repetition of The resulting block is prepended to N-block message. The result is N+1 blocks 5. The result of step 4 is hashed to create an n-bit digest 6. The result of step 5 is left padded with 0s to make a b-bit block (b>n) 7. Steps 2 and 3 are repeated by a different constant opad. The value of opad is b/8 repetition of the sequence The result of step 7 is prepended to the block of step 6 9. The result of step 8 is hashed with the same hashing algorithm to create the final n-bit HMAC

13. Message Authentication CS480_W HMAC

13. Message Authentication CS480_W Iterated Hash Function r A cryptographic hash function takes a message of arbitrary length and creates a message digest of fixed length r Iteration is used to implement the function m We don’t need a function with variable-size input m A function with fixed-size input is created and is used a necessary number of times m The fixed-size input function is called a compression function r The scheme is referred to as an iterated cryptographic hash function

13. Message Authentication CS480_W Merkle-Damgard Scheme r An iterated hash function r Collision resistant if the compression function is collision resistant

13. Message Authentication CS480_W Merkle-Damgard Scheme r The message is padded to be evenly divided into t blocks of n bits, M1, M2, … Mt r The digest created at t iterations are called H1, H2,…, Ht r Before starting the iteration, the digest H0 is set to a fixed value, called Initialization Vector (IV) r The compression function at each iteration operates on H i-1 and M i to create a new H i. m H i = f(H i-1, M i ) r H t is the cryptographic hash function of the original message

13. Message Authentication CS480_W Two Groups of Compression Functions r The Merkel-Damgard scheme is the basis for many cryptographic hash functions r The only thing we need to do is to design a compression function that is collision resistant r Two different approaches m The compression function is made from scratch m A symmetric-key block cipher serves as a compression function

13. Message Authentication CS480_W Hash functions made from scratch r Message Digest (MD) m MD2, MD4, MD5 m Designed by Ron Rivest r Secure Hash Algorithms (SHA) m A standard developed by NIST m Also referred to as Secure Hash Standard (SHS) m SHA224, SHA256, SHA-384 and SHA-512

13. Message Authentication CS480_W Hash functions based on bock ciphers r An iterated cyptographic hash function can use a symmetric-key block cipher as a compression function r The block cipher is used to make a one-way hash function instead of creating a new one r The block cipher only performs encryption r Example: Whirlpool (not discussed)

13. Message Authentication CS480_W Hash functions based on bock ciphers r Rabin scheme r Davies-Meyer scheme r Matyas-Meyer-Oseas scheme r Miyaguchi-Preneel Scheme m Whirlpool is based on this scheme

13. Message Authentication CS480_W Rabin Scheme

13. Message Authentication CS480_W Davies-Meyer Scheme

13. Message Authentication CS480_W Matyas-Meyer-Oseas Scheme

13. Message Authentication CS480_W Miyaguchi-Preneel Scheme

13. Message Authentication CS480_W SHA-512 r SHA-512 is the version of SHA with a 512-bit message digest r This version, like the others in the SHA family of algorithms, is based on the Merkle-Damgard scheme

13. Message Authentication CS480_W Introduction r SHA-512 creates a digest of 512 bits from a multiple-block message r Each message is 1024 bits in length r The digest is initialized to an initial value r The algorithm mixes the initial value with the 1 st block of the message to create the first intermediate message digest r The digest is the mixed with the 2 nd block to create the second intermediate message digest r Finally, the (N-1)th the digest is mixed with the Nth block to create the final message digest for the entire message

13. Message Authentication CS480_W Introduction

13. Message Authentication CS480_W Message Preparation r SHA-512 creates a 512-bit message digest out of a message less than r The message length limitation of SHA-512 is not a serious problem m Suppose we need to send a message that is bits in length. m How long does it take for a communications network with a data rate of 2 64 bits per second to send this message? A communications network that can send 2 64 bits per second is not yet available Several years if such network is available

13. Message Authentication CS480_W Message Preparation r How many pages are occupied by a message of bits? m Suppose that a character is 32, or 2 5, bits. m Each page contains less than 2048, or approximately 2 11, characters. m So bits need at least / 2 16, or 2 112, pages m This again shows that we need not worry about the message length restriction.

13. Message Authentication CS480_W Length field and Padding r Before the message digest can be created, SHA- 512 requires the addition of a 128-bit unsigned- integer length field to the message m defines the length of the original message in bits m The length is for the message before padding or adding the length field r Before the addition of the length field, the message is padded m Make the length a multiple of 1024 bits r 128 bits are reserved for the length field

13. Message Authentication CS480_W Length field and Padding r Let |M| be the length of the message and |P| be the length of the padding m (|M| + |P| +128) = 0 mod 1024 or |P| = (- (|M|-128) mod 1024 r The format of padding is one 1 followed by the necessary number of 0s

13. Message Authentication CS480_W Example r What is the number of padding bits if the length of the original message is 2590 bits? r We can calculate the number of padding bits as follows: m |P| = ( ) mod 1024 = mod 1024 = 354 m The padding consists of one 1 followed by 353 0’s

13. Message Authentication CS480_W Length field and Padding r What is the minimum and maximum number of padding bits that can be added to a message? m The minimum length of padding is 0 m It happens when (−M − 128) mod 1024 is 0. m This means that |M| = −128 mod 1024 = 896 mod 1024 bits. m In other words, the last block in the original message is 896 bits. m We add a 128-bit length field to make the block complete.

13. Message Authentication CS480_W Length field and Padding r The maximum length of padding is 1023 r it happens when (−|M| −128) = 1023 mod 1024 r This means that the length of the original message is |M| = (−128 −1023) mod 1024 or the length is |M| = 897 mod r In this case, we cannot just add the length field because the length of the last block exceeds one bit more than r So we need to add 127 bits to complete this block and create a second block of 896 padding bits r Now the length can be added to make this block complete.

13. Message Authentication CS480_W Length field and Padding Message Padding Length field Block 1 Block 2

13. Message Authentication CS480_W Words r SHA-512 is word-oriented r A word contains 64 bits r After the padding and adding the length field, each block of the message consists of bit words r The message digest contains 8 words m From A to H

13. Message Authentication CS480_W Words

13. Message Authentication CS480_W Word expansion r Before processing, each message block must be expanded r We need 80 words in the processing phase r 16 words are expanded to 80 words m From W 0 to W 79 r The 1024-bit message becomes the first 16 words r The rest of words come from already-made words according to some operations

13. Message Authentication CS480_W Word Expansion right by 0’s.

13. Message Authentication CS480_W Word Expansion r Show how W60 is made r Each word in the range W16 to W59 is made from four previously-made words. W60 is made as

13. Message Authentication CS480_W Message Digest Initialization

13. Message Authentication CS480_W Compression function r SHA-512 creates a 512 bit message digest from a multiple-block message m Each block is 1024 bits r The processing of each block involves 80 rounds r In each round, the following 3 components are mixed together and are operated on to create a new set of buffers m the contents of 8 previous buffers m one word from the expanded block(Wi) m one 64-bit constant (Ki)

13. Message Authentication CS480_W Compression Function K0 – K79 are 80 constants

13. Message Authentication CS480_W Structure of each round in SHA rounds!

13. Message Authentication CS480_W Structure of each round in SHA-512 r Majority Function r Conditional Function r Rotate Functions

13. Message Authentication CS480_W Structure of each round in SHA-512 r We apply the Majority function on buffers A, B, and C. If the leftmost hexadecimal digits of these buffers are 0x7, 0xA, and 0xE, respectively, what is the leftmost digit of the result? r The digits in binary are 0111, 1010, and 1110 m The first bits are 0, 1, and 1. The majority is 1 m The second bits are 1, 0, and 1 The majority is 1 m The third bits are 1, 1, and 1. The majority is 1 m The fourth bits are 1, 0, and 0. The majority is 0 r The result is 1110, or 0xE in hexadecimal

13. Message Authentication CS480_W Structure of each round in SHA- 512 r We apply the Conditional function on E, F, and G buffers. If the leftmost hexadecimal digits of these buffers are 0x9, 0xA, and 0xF respectively, what is the leftmost digit of the result? r The digits in binary are 1001, 1010, and 1111 m The first bits are 1, 1, and 1. since E 1 is 1, the result is F 1, which is 1 m The second bits are 0, 0, and 1. since E 2 is 0, the result is G 2, which is 1 m The third bits are 0, 1, and 1. since E 3 is 0, the result is G 3, which is 1 m The fourth bits are 1, 0, and 1. since E 4 is 1, the result is F 4, which is 0 r The result is 1110, or 0xE in hexadecimal

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.