1. Message Authentication

2. Message Authentication
message authentication is concerned with:
protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)
Will consider the security requirements
then three alternative functions used:
Message encryption
Cryptographic checksum
Hash function
Up till now, have been concerned with protecting message content (ie secrecy) by encrypting the message. Will now consider how to protect message integrity (ie protection from modification), as well as confirming the identity of the sender. Generically this is the problem of message authentication, and in eCommerce applications is arguably more important than secrecy.

3. Authentication Requirements
Kind of attacks in the context of communications across a network
Disclosure
Traffic analysis
Masquerade
Content modification
Sequence modification
Timing modification
Source repudiation
Destination repudiation
Confidentiality
Message
Authentication
Digital
Signature
Specialized Digital Signature

4. Authentication Requirements
Message authentication
A procedure to verify that received messages come from the alleged source and have not been altered
Message authentication may also verify sequencing and timeliness
Digital signature
An authentication technique that also includes measures to counter repudiation by the source

5. Authentication Functions
Message authentication or digital signature mechanism can be viewed as having two levels
At lower level: there must be some sort of functions producing an authenticator – a value to be used to authenticate a message
This lower level functions is used as primitive in a higher level authentication protocol

6. Authentication Functions
Three classes of functions that may be used to produce an authenticator
Message encryption
Ciphertext itself serves as authenticator
Message authentication code (MAC)
A function of the message and a secret key that produces a fixed-length value that serves as the authenticator
Hash function
A function that maps a message of any length into a fixed-length hash value that serves as the authenticator

7. Message Encryption
Message encryption by itself also provides a measure of authentication (as well as confidentiality)
If symmetric encryption is used then:
receiver know sender must have created it
since only sender and receiver now key used
know content cannot of been altered
if message has suitable structure, redundancy or a checksum to detect any changes

8. Message Encryption If public-key encryption is used:
encryption provides no confidence of sender
since anyone potentially knows public-key
however if
sender signs message using their private-key
then encrypts with recipients public key
have both secrecy and authentication
but at cost of two public-key uses on message

9. Basic Uses of Message Encryption

10. (a) Symmetric encryption

11. (b) Public key: confidentiality

12. (c) Public key: authentication & signature

13. (d) Public key: confidentiality, authentication

14. Message Authentication Code (MAC)
Also known as Cryptographic Checksum
Generated by an algorithm that creates a small fixed-sized block
depending on both message and some key
like encryption though need not be reversible
Appended to message as a signature
Receiver performs same computation on message and checks it matches the MAC
Provides assurance that
message is unaltered
Message comes from sender

15. MAC Properties a MAC is a cryptographic checksum
MAC = CK(M)
condenses a variable-length message M
using a secret key K
to a fixed-sized authenticator
is a many-to-one function
potentially many messages have same MAC
but finding these needs to be very difficult

16. Basic Uses of MAC

17. (a) Message authentication

18. (b) Message authentication & confidentiality

19. (c) Message authentication & confidentiality

20. Why Use MACs? Why not just use encryption?
Cleartext stays clear
MAC might be cheaper
Sometimes only authentication is needed
Broadcast
Authentication of executable codes
Sometimes need authentication to persist longer than the encryption (e.g., archival use)
Separation of authentication and confidentiality provides architectural flexibility
MAC does not provide a digital signature
Because both sender and receiver share the same key

21. MAC Based on DES (CBC-MAC)
Last block of CBC mode of DES, with IV = 0
Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC
using IV=0 and zero-pad of final block
encrypt message using DES in CBC mode
and send just the final block as the MAC
or the leftmost M bits (16≤M≤64) of final block
Data Authentication Code (DAC) consists of 16 to 64 leftmost bits of ON

22. MAC Based on DES (CBC-MAC)

23. Hash Function One-way hash function
Converts a variable size message M into fixed size hash code H(M) (Sometimes called a message digest)
Unlike the MAC, a hash code does not use a key but is a function only of the input message
Provides message integrity

24. Hash Functions h = H(M) The hash value is appended at the source
M is a variable-length message
h is a fixed-length hash value
H is a hash function
The hash value is appended at the source
The receiver authenticates the message by recomputing the hash value
Because the hash function itself is not considered to be secret, some means is required to protect the hash value

25. Hash Function
Can be used with encryption or a shared key for authentication
E(M || H(M)) : identical to the internal error control strategy
M || E(H(M)) : a MAC
M || signed H : typical digital signature
E(M || signed H)
M || H(M || K) : keyed hash (no encryption)
E(M || H(M || K))

26. Basic Uses of Hash Function

27. Basic Uses of Hash Function

28. Encrypt message + hash code

29. Encrypt hash code

30. Encrypt hash code

31. Encrypt hash code

32. Compute hash code of message + secret value

33. Encrypt hash code of msg + secret value

34. Requirements for Hash Functions
Can be applied to any sized message M
Produces fixed-length output h
Is easy to compute h = H(M) for any message M
Given h is infeasible to find x s.t. H(x)= h
one-way property
Given x is infeasible to find y s.t. H(y)= H(x)
weak collision resistance
Is infeasible to find any x,y s.t. H(y)= H(x)
strong collision resistance
These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions & block ciphers, and in the evolution of the design requirements on both.

35. A Simple Example of Hash Functions
Operation of hash functions
The input is viewed as a sequence of n-bit blocks
The input is processed one block at a time in an iterative fashion to produce an n-bit hash function
Simplest hash function: Bitwise XOR of every block
Ci = bi1  bi2  …  bim
Ci = i-th bit of the hash code, 1  i  n
m = number of n-bit blocks in the input
bij = i-th bit in j-th block
Known as longitudinal redundancy check

36. Hash Algorithms

37. Hash Algorithms
See similarities in the evolution of hash functions & block ciphers
increasing power of brute-force attacks
leading to evolution in algorithms
from DES to AES in block ciphers
from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash algorithms
Likewise tend to use common iterative structure as do block ciphers

38. MD5 designed by Ronald Rivest (the R in RSA)
latest in a series of MD2, MD4
produces a 128-bit hash value
until recently was the most widely used hash algorithm
in recent times have both brute-force & cryptanalytic concerns
specified as Internet standard RFC1321
MD5 is the current, and very widely used, member of Rivest’s family of hash functions.

39. Algorithm
MD5 processes a variable-length message into a fixed-length output of 128 bits.
The input message is broken up into chunks of 512-bit blocks
The main algorithm then operates on each 512-bit message block in turn, each block modifying the state.
The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation.

40. The message is padded so that its length is divisible by 512
first a single bit, 1, is appended to the end of the message.
This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512.

41. Algoritma

42. Strength of MD5 MD5 hash is dependent on all message bits
Rivest claims security is good as can be
known attacks are:
Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend)
Boer & Bosselaers 93 found a pseudo collision (again unable to extend)
Dobbertin 96 created collisions on MD compression function (but initial constants prevent exploit)
conclusion is that MD5 looks vulnerable soon
Some progress has been made analysing MD5, which along with the hash size of 128-bits means its starting to look too small. Hence interest in hash functions that create larger hashes.

43. Secure Hash Algorithm (SHA-1)
SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1
US standard for use with DSA signature scheme
standard is FIPS , also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS
produces 160-bit hash values
now the generally preferred hash algorithm
based on design of MD4 with key differences
SHA is one of the newer generation of hash functions, more resistant to cryptanalysis, and now probably preferred for new applications.

44. SHA-1 verses MD5
brute force attack is harder (160 vs 128 bits for MD5)
not vulnerable to any known attacks (compared to MD4/5)
a little slower than MD5 (80 vs 64 steps)
both designed as simple and compact
optimised for big endian CPU's (vs MD5 which is optimised for little endian CPU’s)
Compare using the design goals listed earlier.
SHA-1 is probably the preferred hash function for new applications. Currently no problems are known with it.

45. Revised Secure Hash Standard
There are 3 additional hash algorithms
SHA-256, SHA-384, SHA-512
designed for compatibility with increased security provided by the AES cipher
structure & detail is similar to SHA-1
hence analysis should be similar
See Stallings Tables 12.3 and 12.4 for details.

46. RIPEMD-160
RIPEMD-160 was developed in Europe as part of RIPE project in 96
by researchers involved in attacks on MD4/5
initial proposal strengthen following analysis to become RIPEMD-160
somewhat similar to MD5/SHA
uses 2 parallel lines of 5 rounds of 16 steps
creates a 160-bit hash value
slower, but probably more secure, than SHA

47. RIPEMD-160 verses MD5 & SHA-1
brute force attack harder (160 like SHA-1 vs 128 bits for MD5)
not vulnerable to known attacks, like SHA-1 though stronger (compared to MD4/5)
slower than MD5 (more steps)
all designed as simple and compact
SHA-1 optimised for big endian CPU's vs RIPEMD-160 & MD5 optimised for little endian CPU’s
RIPEMD-160 is probably the most secure of the hash algorithms, so would be chosen if that is of major concern.

48. Keyed Hash Functions as MACs
have desire to create a MAC using a hash function rather than a block cipher
because hash functions are generally faster
not limited by export controls unlike block ciphers
hash includes a key along with the message
original proposal:
KeyedHash = Hash(Key|Message)
some weaknesses were found with this
eventually led to development of HMAC

49. HMAC specified as Internet standard RFC2104
uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
where K+ is the key padded out to size
and opad, ipad are specified padding constants
overhead is just 3 more hash calculations than the message needs alone
any of MD5, SHA-1, RIPEMD-160 can be used
The idea of a keyed hash evolved into HMAC, designed to overcome some problems with the original proposals. Further have a design that has been shown to have the same security as the underlying hash alg. The hash function need only be used on 3 more blocks than when hashing just the original message (for the two keys + inner hash). Choose hash alg to use based on speed/security concerns.

50. HMAC Overview
Stallings Fig

51. HMAC Overview K, secret key shared between the two parties
K should be larger than L/2, where L is size of hash output (e.g. 160 bits)
Output of HMAC may be truncated (left most significant bits may be transmitted)
an arbitrary purported MAC of t bits on an arbitrary plaintext message may be successfully verified with an expected probability of (1/2)^t

52. HMAC Security
know that the security of HMAC relates to that of the underlying hash algorithm
attacking HMAC requires either:
brute force attack on key used
birthday attack (but since keyed would need to observe a very large number of messages)
choose hash function used based on speed verses security constraints