Presentation is loading. Please wait.

Presentation is loading. Please wait.

Message Authentication & Cryptographic Hash Functions

Published byΟινώνη Δοξαράς Modified over 5 years ago

Similar presentations

Presentation on theme: "Message Authentication & Cryptographic Hash Functions"— Presentation transcript:

1 Message Authentication & Cryptographic Hash Functions
A.Sivaramakrishnan Assistant Professor, Dept of Information Technology, Chettinad Tech.

2 Lecture Outline Message Authentication Message Encryption MAC
Hash Functions Types Examples Applications

3 Message Authentication
Message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) Can be achieved using: message encryption (protecting message content ) message authentication code (MAC) - ensures integrity and authentication hash functions - ensures integrity

4 Security Attacks disclosure traffic analysis masquerade modification
source repudiation destination repudiation

5 Message Encryption

6 Message Encryption Message encryption by itself also provides a measure of authentication symmetric encryption

7 Message Encryption …. contd
if public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key

8 Message Authentication Code

9 MAC - Introduction generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible appended to message as a MAC code receiver performs same computation on message and checks if it matches the MAC code If yes, provides assurance that message is unaltered and comes from the alleged sender

10 MAC …. contd

11 MAC …. contd can also use encryption for secrecy why use a MAC?
generally use separate keys for each can compute MAC either before or after encryption is generally regarded as better done before why use a MAC? sometimes only authentication is needed sometimes need authentication to persist longer than the encryption (eg. archival use) MAC is not a digital signature

12 MAC Properties is a cryptographic checksum is a many-to-one function
MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult can use any block cipher chaining mode and use final block as a MAC . Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC but final MAC is now too small for security

13 Hash Functions

14 What is Cryptographic hash?
Let h be the hash function, x be the message. Then y=h(x) is the hash value or fingerprint referred to as message digest. (160 bits commonly) ( checksum,signature) Hash functions provides data integrity. If data is altered, the fingerprint is altered and no longer valid. Even if data is stored in insecure place, integrity can be checked by computing the fingerprint again and verifying that its not changed.

15 Types Unkeyed hash function –> y=h(x). Hash function should be protected. Keyed hash function ( Message Authentication Code) –> y = hk(x). Key k is secret and should be protected. Pair (x,y) can be transmitted over an insecure channel.

16 Example $ cat smallfile - This is a very small file with a few characters $ cat bigfile - This is a larger file that contains more characters.This demonstrates that no matter how big the input stream is, the generated hash is the same size (but of course, not the same value). If two files have a different hash, they surely contain different data. $ ls -l empty-file smallfile bigfile linux-kernel -rw-rw-r self self :58 empty-file -rw-rw-r self self :48 smallfile -rw-rw-r self self :48 bigfile -rw-r--r root root :12 linux-kernel $ md5sum empty-file smallfile bigfile linux-kernel d41d8cd98f00b204e ecf8427e empty-file 75cdbfeb70a06d da88c smallfile 6e0b7a1676ec b3f39bd65e41a bigfile c74c812e4d2839fa9acf0aa0c915e022 linux-kernel

17 $ cat file1 - This is a very small file with a few characters
$ md5sum file1 file2 75cdbfeb70a06d da88c42991 file1 6fbe37f1eea0f802bd792ea885cd03e2 file2 The first character of a file is changed from T to t, and the binary values of these ASCII characters differ by just one bit: T -> 0x54 -> t -> 0x74 -> But even a single bit of change in the input produces a very large change in the output – avalanche effect Though the value of the hash changes, its size does not.

18 Hashes are digests

19 Applications Verifying file integrity Hashing passwords
Digitally signing a Document

20 1. Verifying file integrity
Example: If the website publishes the hash values of its download bundles 69650e91e05b3a10fa3ac54ee261679b proftpd-1.3.3d.tar.bz2 72c8368b c3e5fc098d0241d proftpd-1.3.3d.tar.gz 3472f7a8fb760f549daf proftpd-1.3.4rc1.tar.bz2 a60891f0700f617c1e5d7317bd3396dc proftpd-1.3.4rc1.tar.gz md5sum command can be run on the file downloaded and values compared with the published values.

21 2.Hashing Passwords It's a bad idea for computer systems to store passwords in clear text (in their original form), because it can be stolen. Knowing how many people foolishly use one password at multiple sites, getting a password from one system may give access to others. A more secure way is to store a hash of the password, rather than the password itself. Since these hashes are not reversible, there is no way to find out for sure "what password produced this hash?" - and the so consequence of a compromise is much lower. Caution : "hashing is not encryption".

22 Storing a hash instead of a password

23 3.Digitally signing a Document
Its nothing but digital signature wherein one signs (encrypts with one's private key) the hash of the document. At some later date, the receiver can prove that the authorized sender has signed the document by decrypting the signature with the sender’s public key, which yields the hash, and showing that the document's hash matches the signed one.

24 Collisions

25 When different chunks of data produce the same hash value, this is known as a collision
A hash is a many-to-one function, so collisions can happen. It seems obvious that many input streams are available that can produce any given hash. The easier it is to find a collision, the less useful the hash is.

26 Requirements for Hash Functions
can be applied to any sized message M produces fixed-length output h is easy to compute h=H(M) for any message M given h is infeasible to find M s.t. H(M)=h one-way property given x is infeasible to find y s.t. H(y)=H(x) weak collision resistance is infeasible to find any x,y s.t. H(y)=H(x) strong collision resistance These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions & block ciphers, and in the evolution of the design requirements on both.

27 A) Collision Resistance
Some algorithms are better than others at avoiding collisions, and this is measured by three related attributes A) Collision Resistance measures how difficult it is to pick two inputs that produce the same hash value.

28 Exploiting weak collision resistance:
If there is a possibility to create two inputs that generate the same hash, digital signature become suspect. In the example above, the document signed was "a promise to pay", and being able to substitute one signed document for another would certainly lead to havoc:

29 B) Preimage Resistance
measures how difficult it is to devise (using skill and intelligence) an input which hashes to a particular value.

30 Exploiting weak Preimage Resistance
If we are able to "work backwards" from a hash and create some text that produces the same hash, we can use this to beat hashed passwords. We won't ever know the actual input data that was used, but that doesn't matter. Looking at the flow for validating against hashed passwords, all that matters is that the hashes match, not the passwords, so if we can find any other text that produces the stored hash, we'll be granted access. "Collisions" mean "more than one password will be accepted".

31 Second Preimage Resistance
measures how difficult it is to concoct an input which hashes to the same value that some other given input hashes to. This seems like an easier case of the previous item: the goal is to produce a new input that generates the given hash, but this time the original text that created it is known. But not clear how much help this extra knowledge is.

32 Exploiting second weak preimage resistance:
As with preimage resistance, we want to fool somebody into authenticating our data as genuine. Example - ProFTPD (and many other organizations) publishes software and matching md5 checksums, and if we are able to maliciously modify the source code but nevertheless keep the same checksum, down loaders around the globe will accept our badware as genuine.

33 Sequences used for collision

34 Simple Hash Functions a)Divide the message into blocks of size n.
XOR all the first bits for every block, xor all the 2nd bits of every block and so on…. to generate the hash code b) Initial n bit hash value to zero. Process each successive n-bit block of data as follows: a. Rotate the current hash value to the left by one bit. b. XOR the block into hash value.

35 Secure Hash Algorithm

36 Introduction SHA originally designed by NIST in 1993
was revised in 1995 as SHA-1 US standard for use with DSA signature scheme produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications In recent years, the most widely used hash function has been the Secure Hash Algorithm (SHA). The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard (FIPS 180) in 1993; a revised version was issued as FIPS in 1995 and is generally referred to as SHA-1. The actual standards document is entitled Secure Hash Standard. SHA is based on the hash function MD4 and its design closely models MD4. SHA-1 produces a hash value of 160 bits. In 2005, a research team described an attack in which two separate messages could be found that deliver the same SHA-1 hash using 2^69 operations, far fewer than the 2^80 operations previously thought needed to find a collision with an SHA-1 hash [WANG05]. This result has hastened the transition to newer, longer versions of SHA.

37 SHA Versions SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 Message digest size
160 224 256 384 512 Message size < 264 < 2128 Block size 1024 Word size 32 64 Number of steps 80 Stallings Table 11.3 provides a comparison of the various parameters for the SHA hash functions.

38 SHA-512 Overview Now examine the structure of SHA-512, noting that the other versions are quite similar. SHA-512 follows the structure depicted in Stallings Figure The processing consists of the following steps: • Step 1: Append padding bits, consists of a single 1-bit followed by the necessary number of 0-bits, so that its length is congruent to 896 modulo 1024 • Step 2: Append length as an (big-endian) unsigned 128-bit integer • Step 3: Initialize hash buffer to a set of 64-bit integer constants (see text) • Step 4: Process the message in 1024-bit (128-word) blocks, which forms the heart of the algorithm. Each round takes as input the 512-bit buffer value Hi, and updates the contents of that buffer. • Step 5: Output the final state value as the resulting hash See text for more details.

39 SHA-512 Compression Function
heart of the algorithm processing message in 1024-bit blocks consists of 80 rounds updating a 512-bit buffer using a 64-bit value W derived from the current message block and a round constant based on cube root of first 80 prime numbers The SHA-512 Compression Function is the heart of the algorithm. In this Step 4, it processes the message in 1024-bit (128-word) blocks, using a module that consists of 80 rounds, labeled F in Stallings Figure 11.8, and is shown in detail in Figure Each round takes as input the 512-bit buffer value, and updates the contents of the buffer. At input to the first round, the buffer has the value of the intermediate hash value. Each round t makes use of a 64-bit value Wt derived using a message schedule from the current 1024-bit block being processed. Each round also makes use of an additive constant Kt, based on the fractional parts of the cube roots of the first eighty prime numbers. The constants provide a “randomized” set of 64-bit patterns, which should eliminate any regularities in the input data. The output of the eightieth round is added to the input to the first round to produce the final hash value for this message block, which forms the input to the next iteration of this compression function, as shown on the previous slide.

40 SHA-512 Round Function The structure of each of the 80 rounds is shown in Stallings Figure Each 64-bit word is shuffled along one place, and in some cases manipulated using a series of simple logical functions (ANDs, NOTs, ORs, XORs, ROTates), in order to provide the avalanche & completeness properties of the hash function. The elements are: Ch(e,f,g) = (e AND f) XOR (NOT e AND g) Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c) ∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39) ∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41) + = addition modulo 2^64 Kt = a 64-bit additive constant Wt = a 64-bit word derived from the current 512-bit input block. Six of the eight words of the output of the round function involve simply permutation (b, c, d, f, g, h) by means of rotation. This is indicated by shading in Figure Only two of the output words (a, e) are generated by substitution. Word e is a function of input variables d, e, f, g, h, as well as the round word W t and the constant Kt. Word a is a function of all of the input variables, as well as the round word W t and the constant Kt.

41 SHA-512 Round Function Each 64-bit word is shuffled, and manipulated using a series of simple logical functions (ANDs, NOTs, ORs, XORs, ROTates), in order to provide the avalanche & completeness properties of the hash function. The elements are: Ch(e,f,g) = (e AND f) XOR (NOT e AND g) Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)

42 SHA-512 Round Function ∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)
∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41) + = addition modulo 2^64 Kt = a 64-bit additive constant Wt = a 64-bit word derived from the current 512-bit input block.

43 SHA-512 Round Function Six of the eight words of the output of the round function involve simply permutation (b, c, d, f, g, h) by means of rotation. Only two of the output words (a, e) are generated by substitution. Word e is a function of input variables d, e, f, g, h, as well as the round word Wt and the constant Kt. Word a is a function of all of the input variables, as well as the round word W t and the constant Kt.

44 SHA-512 Round Function Stallings Figure illustrates how the 64-bit word values Wt are derived from the 1024-bit message. The first 16 values of Wt are taken directly from the 16 words of the current block. The remaining values are defined as a function of the earlier values using ROTates, SHIFTs and XORs as shown. The function elements are: ∂0(x) = ROTR(x,1) XOR ROTR(x,8) XOR SHR(x,7) ∂1(x) = ROTR(x,19) XOR ROTR(x,61) XOR SHR(x,6) Thus, in the first 16 steps of processing, the value of Wt is equal to the corresponding word in the message block. For the remaining 64 steps, the value of Wt consists of the circular left shift by one bit of the XOR of four of the preceding values of Wt, with two of those values subjected to shift and rotate operations. This introduces a great deal of redundancy and interdependence into the message blocks that are compressed, which complicates the task of finding a different message block that maps to the same compression function output. See text for details of an example based on one in FIPS 180.

45 SHA-512 Round Function The first 16 values of Wt are taken directly from the 16 words of the current block. The remaining values are defined as a function of the earlier values using ROTates, SHIFTs and XORs. The function elements are: σ0(x) = ROTR(x,1) XOR ROTR(x,8) XOR SHR(x,7) σ 1(x) = ROTR(x,19) XOR ROTR(x,61) XOR SHR(x,6)

46 SHA-512 Round Function For the remaining 64 steps, the value of Wt consists of the ROTates, SHIFTs and XORs This introduces a great deal of redundancy and interdependence into the message blocks that are compressed, which complicates the task of finding a different message block that maps to the same compression function output.

47 Summary In this session, we have considered authentication using
message encryption MACs Basic Hash functions Secure Hash Algorithms

48 THANK YOU!

Download ppt "Message Authentication & Cryptographic Hash Functions"

Similar presentations

Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11

Information Security and Management 11
Cryptography and Network Security Chapter 11. Chapter 11 – Message Authentication and Hash Functions At cats' green on the Sunday he took the message.

Cryptography and Network Security Chapter 11. Chapter 11 – Message Authentication and Hash Functions At cats' green on the Sunday he took the message.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 13 Message Signing

Lecture 13 Message Signing
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.

Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
HASH Functions.

HASH Functions.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.

Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester 2008-2009 ITGD 2202 University of Palestine.

Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google