Message Authentication

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) Will consider the security requirements then three alternative functions used: Message encryption Cryptographic checksum Hash function Up till now, have been concerned with protecting message content (ie secrecy) by encrypting the message. Will now consider how to protect message integrity (ie protection from modification), as well as confirming the identity of the sender. Generically this is the problem of message authentication, and in eCommerce applications is arguably more important than secrecy.

Authentication Requirements Kind of attacks in the context of communications across a network Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation Confidentiality Message Authentication Digital Signature Specialized Digital Signature

Authentication Requirements Message authentication A procedure to verify that received messages come from the alleged source and have not been altered Message authentication may also verify sequencing and timeliness Digital signature An authentication technique that also includes measures to counter repudiation by the source

Authentication Functions Message authentication or digital signature mechanism can be viewed as having two levels At lower level: there must be some sort of functions producing an authenticator – a value to be used to authenticate a message This lower level functions is used as primitive in a higher level authentication protocol

Authentication Functions Three classes of functions that may be used to produce an authenticator Message encryption Ciphertext itself serves as authenticator Message authentication code (MAC) A function of the message and a secret key that produces a fixed-length value that serves as the authenticator Hash function A function that maps a message of any length into a fixed-length hash value that serves as the authenticator

Message Encryption Message encryption by itself also provides a measure of authentication (as well as confidentiality) If symmetric encryption is used then: receiver know sender must have created it since only sender and receiver now key used know content cannot of been altered if message has suitable structure, redundancy or a checksum to detect any changes

Message Encryption If public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key however if sender signs message using their private-key then encrypts with recipients public key have both secrecy and authentication but at cost of two public-key uses on message

Basic Uses of Message Encryption

(a) Symmetric encryption

(b) Public key: confidentiality

(c) Public key: authentication & signature

(d) Public key: confidentiality, authentication

Message Authentication Code (MAC) Also known as Cryptographic Checksum Generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible Appended to message as a signature Receiver performs same computation on message and checks it matches the MAC Provides assurance that message is unaltered Message comes from sender

MAC Properties a MAC is a cryptographic checksum MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult

Basic Uses of MAC

(a) Message authentication

(b) Message authentication & confidentiality

(c) Message authentication & confidentiality

Why Use MACs? Why not just use encryption? Cleartext stays clear MAC might be cheaper Sometimes only authentication is needed Broadcast Authentication of executable codes Sometimes need authentication to persist longer than the encryption (e.g., archival use) Separation of authentication and confidentiality provides architectural flexibility MAC does not provide a digital signature Because both sender and receiver share the same key

MAC Based on DES (CBC-MAC) Last block of CBC mode of DES, with IV = 0 Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC or the leftmost M bits (16≤M≤64) of final block Data Authentication Code (DAC) consists of 16 to 64 leftmost bits of ON

MAC Based on DES (CBC-MAC)

Hash Function One-way hash function Converts a variable size message M into fixed size hash code H(M) (Sometimes called a message digest) Unlike the MAC, a hash code does not use a key but is a function only of the input message Provides message integrity

Hash Functions h = H(M) The hash value is appended at the source M is a variable-length message h is a fixed-length hash value H is a hash function The hash value is appended at the source The receiver authenticates the message by recomputing the hash value Because the hash function itself is not considered to be secret, some means is required to protect the hash value

Hash Function Can be used with encryption or a shared key for authentication E(M || H(M)) : identical to the internal error control strategy M || E(H(M)) : a MAC M || signed H : typical digital signature E(M || signed H) M || H(M || K) : keyed hash (no encryption) E(M || H(M || K))

Basic Uses of Hash Function

Basic Uses of Hash Function

Encrypt message + hash code

Encrypt hash code

Encrypt hash code

Encrypt hash code

Compute hash code of message + secret value

Encrypt hash code of msg + secret value

Requirements for Hash Functions Can be applied to any sized message M Produces fixed-length output h Is easy to compute h = H(M) for any message M Given h is infeasible to find x s.t. H(x)= h one-way property Given x is infeasible to find y s.t. H(y)= H(x) weak collision resistance Is infeasible to find any x,y s.t. H(y)= H(x) strong collision resistance These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions & block ciphers, and in the evolution of the design requirements on both.

A Simple Example of Hash Functions Operation of hash functions The input is viewed as a sequence of n-bit blocks The input is processed one block at a time in an iterative fashion to produce an n-bit hash function Simplest hash function: Bitwise XOR of every block Ci = bi1  bi2  …  bim Ci = i-th bit of the hash code, 1  i  n m = number of n-bit blocks in the input bij = i-th bit in j-th block Known as longitudinal redundancy check

Hash Algorithms

Hash Algorithms See similarities in the evolution of hash functions & block ciphers increasing power of brute-force attacks leading to evolution in algorithms from DES to AES in block ciphers from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash algorithms Likewise tend to use common iterative structure as do block ciphers

MD5 designed by Ronald Rivest (the R in RSA) latest in a series of MD2, MD4 produces a 128-bit hash value until recently was the most widely used hash algorithm in recent times have both brute-force & cryptanalytic concerns specified as Internet standard RFC1321 MD5 is the current, and very widely used, member of Rivest’s family of hash functions.

Algorithm MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation.

The message is padded so that its length is divisible by 512 first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512.

Algoritma

Strength of MD5 MD5 hash is dependent on all message bits Rivest claims security is good as can be known attacks are: Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend) Boer & Bosselaers 93 found a pseudo collision (again unable to extend) Dobbertin 96 created collisions on MD compression function (but initial constants prevent exploit) conclusion is that MD5 looks vulnerable soon Some progress has been made analysing MD5, which along with the hash size of 128-bits means its starting to look too small. Hence interest in hash functions that create larger hashes.

Secure Hash Algorithm (SHA-1) SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1 US standard for use with DSA signature scheme standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS produces 160-bit hash values now the generally preferred hash algorithm based on design of MD4 with key differences SHA is one of the newer generation of hash functions, more resistant to cryptanalysis, and now probably preferred for new applications.

SHA-1 verses MD5 brute force attack is harder (160 vs 128 bits for MD5) not vulnerable to any known attacks (compared to MD4/5) a little slower than MD5 (80 vs 64 steps) both designed as simple and compact optimised for big endian CPU's (vs MD5 which is optimised for little endian CPU’s) Compare using the design goals listed earlier. SHA-1 is probably the preferred hash function for new applications. Currently no problems are known with it.

Revised Secure Hash Standard There are 3 additional hash algorithms SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar See Stallings Tables 12.3 and 12.4 for details.

RIPEMD-160 RIPEMD-160 was developed in Europe as part of RIPE project in 96 by researchers involved in attacks on MD4/5 initial proposal strengthen following analysis to become RIPEMD-160 somewhat similar to MD5/SHA uses 2 parallel lines of 5 rounds of 16 steps creates a 160-bit hash value slower, but probably more secure, than SHA

RIPEMD-160 verses MD5 & SHA-1 brute force attack harder (160 like SHA-1 vs 128 bits for MD5) not vulnerable to known attacks, like SHA-1 though stronger (compared to MD4/5) slower than MD5 (more steps) all designed as simple and compact SHA-1 optimised for big endian CPU's vs RIPEMD-160 & MD5 optimised for little endian CPU’s RIPEMD-160 is probably the most secure of the hash algorithms, so would be chosen if that is of major concern.

Keyed Hash Functions as MACs have desire to create a MAC using a hash function rather than a block cipher because hash functions are generally faster not limited by export controls unlike block ciphers hash includes a key along with the message original proposal: KeyedHash = Hash(Key|Message) some weaknesses were found with this eventually led to development of HMAC

HMAC specified as Internet standard RFC2104 uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] where K+ is the key padded out to size and opad, ipad are specified padding constants overhead is just 3 more hash calculations than the message needs alone any of MD5, SHA-1, RIPEMD-160 can be used The idea of a keyed hash evolved into HMAC, designed to overcome some problems with the original proposals. Further have a design that has been shown to have the same security as the underlying hash alg. The hash function need only be used on 3 more blocks than when hashing just the original message (for the two keys + inner hash). Choose hash alg to use based on speed/security concerns.

HMAC Overview Stallings Fig 12-10.

HMAC Overview K, secret key shared between the two parties K should be larger than L/2, where L is size of hash output (e.g. 160 bits) Output of HMAC may be truncated (left most significant bits may be transmitted) an arbitrary purported MAC of t bits on an arbitrary plaintext message may be successfully verified with an expected probability of (1/2)^t

HMAC Security know that the security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages) choose hash function used based on speed verses security constraints