Presentation is loading. Please wait.

Presentation is loading. Please wait.

11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

Published byJeffery Houston Modified over 8 years ago

Similar presentations

Presentation on theme: "11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication."— Presentation transcript:

1 11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication

2 11.2 Objectives ❏ To define message integrity ❏ To define message authentication ❏ To define criteria for a cryptographic hash function ❏ To define the Random Oracle Model and its role in evaluating the security of cryptographic hash functions ❏ To distinguish between an MDC and a MAC ❏ To discuss some common MACs

3 11.3 The cryptography systems that we have studied so far provide secrecy, or confidentiality, but not integrity. However, there are occasions where we may not even need secrecy but instead must have integrity. 11.1 MESSAGE INTEGRITY

4 11.4 One way to preserve the integrity of a document is through the use of a fingerprint. If Alice needs to be sure that the contents of her document will not be changed, she can put her fingerprint at the bottom of the document. Eve cannot modify the contents of this document or create a false document because she cannot forge Alice’s fingerprint. Fingerprint on the document can be compared to Alice’s fingerprint on file. 11.1.1 Document and Fingerprint

5 11.5 The electronic equivalent of the document and fingerprint pair is the message and digest pair. To preserve the integrity of a message, the message is passed through an algorithm called a cryptographic hash function which creates a compressed image of the message. 11.1.2 Message and Message Digest Figure 11.1 Message and digest

6 11.6 The two pairs ( document / fingerprint ) and ( message /message digest ) are similar, with some differences. The document and fingerprint are physically linked together. The message and message digest can be unlinked separately, and, most importantly, the message digest needs to be safe from change. Note that the message digest needs to be safe from change. 11.1.3 Difference

7 11.7 11.1.4 Checking Integrity Figure 11.2 Checking integrity

8 11.8 A cryptographic hash function must satisfy three criteria: preimage resistance, second preimage resistance, collision resistance. 11.1.5 Cryptographic Hash Function Criteria Figure 11.3 Criteria of a cryptographic hash function

9 11.9 Preimage Resistance Figure 11.4 Preimage 11.1.5 Cryptographic Hash Function Criteria

10 11.10 Can we use a conventional lossless compression method such as StuffIt as a cryptographic hash function? Example 11.1 Solution We cannot. A lossless compression method creates a compressed message that is reversible. Can we use a checksum function as a cryptographic hash function? Example 11.2 Solution We cannot. A checksum function is not preimage resistant, Eve may find several messages whose checksum matches the given one. 11.1.5 Cryptographic Hash Function Criteria

11 11.11 Second Preimage Resistance Figure 11.5 Second preimage 11.1.5 Cryptographic Hash Function Criteria

12 11.12 Collision Resistance Figure 11.6 Collision 11.1.5 Cryptographic Hash Function Criteria

13 11.13 11.2 RANDOM ORACLE MODEL The Random Oracle Model, which was introduced in 1993 by Bellare and Rogaway, is an ideal mathematical model for a hash function.

14 11.14 11.2 RANDOM ORACLE MODEL A hash function based on the Random Oracle Model, behaves as follows: 1.When a new message of any length is given, the oracle creates and gives a fixed-length message digest that is a random string of 0 s and 1 s. The oracle records the message and the message digest. 2. When a message is given for which a digest exists, the oracle simply gives the digest in the record. 3. The digest for a new message needs to be chosen independently from all previous digests. This implies that oracle cannot use a formula or an algorithm to calculate the digest.

15 11.15 Assume an oracle with a table and a fair coin. The table has two columns. Also assume that the digest is always 16 bits. Example 11.3 a.The message AB1234CD8765BDAD is given for digest calculation. The oracle checks its table. This message id not in the table, so the oracle flips its coin 16 times. 11.2 RANDOM ORACLE MODEL

16 11.16 Example 11.3(Continued) b.The message 4523AB1352CDEF45126 is given for digest calculation. The oracle checks its table and finds that there is a digest for this message in the table (first row). The oracle simply gives the corresponding digest (13AB). 11.2 RANDOM ORACLE MODEL

17 11.17 The oracle in Example 11.3 cannot use a formula or algorithm to create the digest for a message. For example, imagine the oracle uses the formula h(M) = M mod n. Now suppose that the oracle has already given h(M 1 ) and h(M 2 ). If a new message is presented as M 3 = M 1 + M 2, the oracle does not have to calculate the h(M 3 ). The new digest is just [ h(M 1 ) + h(M 2 )] mod n since Example 11.4 This violates the third requirement that each digest must be randomly chosen based on the message given to the oracle. 11.2 RANDOM ORACLE MODEL

18 11.18 If n pigeonholes are occupied by n + 1 pigeons, then at least one pigeonhole is occupied by two pigeons. The generalized version of the pigeonhole principle is that if n pigeonholes are occupied by kn + 1 pigeons, then at least one pigeonhole is occupied by k+1 pigeons. 11.2.1 Pigeonhole Principle

19 11.19 Assume that the messages in a hash function are 6 bits long and the digests are only 4 bits long. Then the possible number of digests (pigeonholes) is 2 4 = 16, and the possible number of messages (pigeons) is 2 6 = 64. This means n = 16 and kn + 1 = 64, so k is larger than 3. The conclusion is that at least one digest corresponds to ( k + 1 ) messages. Example 11.5 11.2.1 Pigeonhole Principle

20 11.20 11.2.2 Birthday Problems Figure 11.7 Four birthday problems

21 11.21 The birthday problems are described in terms that can be applied to security of hash functions. The terms likely in all cases means with the probability P ≥ 1/2. ❏ Problem 1 : What is the minimum number, k, of students in a classroom such that it is likely that at least one student has predefined birthday? We have a uniformly distributed random variable with N possible values (between 0 and N-1 ). What is the minimum number of instances, k, such that it is likely that at least one instance is equal to a predefined one? Description of Problems 11.2.2 Birthday Problems

22 11.22 ❏ Problem 2 : What is the minimum number, k, of students in a classroom such that it is likely that at least one student has the same birthday as the student selected by the professor ? We have a uniformly distributed random variable with N possible values (between 0 and N-1 ). What is the minimum number of instances, k, such that it is likely that at least one instance is equal to selected one? Description of Problems 11.2.2 Birthday Problems (Continued)

23 11.23 ❏ Problem 3 : What is the minimum number, k, of students in a classroom such that it is likely that at least two students has the same birthday? We have a uniformly distributed random variable with N possible values (between 0 and N-1 ). What is the minimum number of instances, k, such that it is likely that at least two instances are equal? Description of Problems 11.2.2 Birthday Problems (Continued)

24 11.24 ❏ Problem 4 : We have two classes, each with k students. What is the minimum value of k so that it is likely that at least one student from the first classroom has the same birthday as the student from the second classroom? We have a uniformly distributed random variable with N possible values (between 0 and N-1 ). We generate two sets of random values each with k instances. What is the minimum number of, k, such that it is likely from the first set is equal to one instance in the second set? Description of Problems 11.2.2 Birthday Problems (Continued)

25 11.25 Solutions to these problems are given in Appendix E for interested readers; The results are summarized in Table 11.3. 11.2.2 Birthday Problems Summary of Solutions

26 11.26 Problem 1 and 2 are related to preimage and second preimage attacks; Problem 3 and 4 are related to the collision attack. The comparison shows it is much more difficult to launch a preimage or second preimage attack than to launch a collision attack. 11.2.2 Birthday Problems Comparison

27 11.27 Comparison Figure 11.8 Graph of four birthday problem 11.2.2 Birthday Problems (Continued)

28 11.28 11.2.3 Attacks on Random Oracle Model Preimage Attack P ≈ 1-e -k/N ≥ 1/2. k ≈ 0.69 × N ≈ 0.69 × 2 n. The difficulty of a preimage attack is proportional to 2 n. (Continued)

29 11.29 A cryptographic hash function uses a digest of 64 bits. How many digests does Eve need to create to find the original message with the probability more than 0.5? Example 11.6 Solution The number of digests to be created is k ≈ 0.69 × 2 n ≈ 0.69 × 2 64. This is a large number. Even if Eve can create 2 30 (almost one billion) messages per second, it takes 0.69 × 2 34 seconds or more than 500 years. This means that a message digest of size 64 bits is secure with respect to preimage attack, but, as we will see shortly, is not secured to collision attack. 11.2.3 Attacks on Random Oracle Model

30 11.30 Second Preimage Attack 11.2.3 Attacks on Random Oracle Model The difficulty of a second preimage attack is proportional to 2 n.

31 11.31 Collision Attack 11.2.3 Attacks on Random Oracle Model The difficulty of a collision attack is proportional to 2 n/2.

32 11.32 A cryptographic hash function uses a digest of 64 bits. How many digests does Eve need to create to find two messages with the same digest with the probability more than 0.5 ? Example 11.7 Solution The number of digests to be created is k ≈ 1.18 × 2 n/2 ≈ 1.18 × 232. If Eve can test 2 20 (almost one million) messages per second, it takes 1.18 × 2 12 seconds, or less than two hours. This means that a message digest of size 64 bits is not secure against the collision attack. 11.2.3 Attacks on Random Oracle Model

33 11.33 Alternate Collision Attack 11.2.3 Attacks on Random Oracle Model The difficulty of an alternative collision attack is proportional to 2 n/2.

34 11.34 Table 11.4 shows the level of difficulty for each attack if the digest is n bits. 11.2.3 Attacks on Random Oracle Model Summary of Attacks

35 11.35 Originally hash functions with a 64 -bit digest were believed to be immune to collision attacks. But with the increase in the processing speed, today everyone agrees that these hash functions are no longer secure. Eve needs only 2 64/2 = 2 32 tests to launch an attack with probability 1/2 or more. Assume she can perform 2 20 (one million) tests per second. She can launch an attack in 2 32 /2 20 = 2 12 seconds (almost an hour). Example 11.8 11.2.3 Attacks on Random Oracle Model

36 11.36 MD5 (see Chapter 12), which was one of the standard hash functions for a long time, creates digests of 128 bits. To launch a collision attack, the adversary needs to test 2 64 ( 2 128 /2 ) tests in the collision algorithm. Even if the adversary can perform 2 30 (more than one billion) tests in a second, it takes 2 34 seconds (more than 500 years) to launch an attack. This type of attack is based on the Random Oracle Model. It has been proved that MD5 can be attacked on less than 2 64 tests because of the structure of the algorithm. Example 11.9 11.2.3 Attacks on Random Oracle Model

37 11.37 SHA-1 (see Chapter 12), a standard hash function developed by NIST, creates digests of 160 bits. To launch a collision attack, the adversary needs to test 2 160/2 = 2 80 tests in the collision algorithm. Even if the adversary can perform 2 30 (more than one billion) tests in a second, it takes 2 50 seconds (more than ten thousand years) to launch an attack. However, researchers have discovered some features of the function that allow it to be attacked in less time than calculated above. Example 11.10 11.2.3 Attacks on Random Oracle Model

38 11.38 The new hash function, that is likely to become NIST standard, is SHA-512 (see Chapter 12), which has a 512 -bit digest. This function is definitely resistant to collision attacks based on the Random Oracle Model. It needs 2 512/2 = 2 256 tests to find a collision with the probability of 1/2. Example 11.11 11.2.3 Attacks on Random Oracle Model

39 11.39 The analysis about the attacks based on an ideal cryptographic hash function provides systematic evaluation of the algorithms. But practical hash functions can have some internal structures that make them much weaker. It is not possible to make a hash function that creates digests that are completely random. The adversary may have other tools to attack hash function. One of these tools, for example, is the meet-in-the-middle attack that we discussed in Chapter 6 for double DES. 11.2.4 Attacks on the Structure

40 11.40 11.3 MESSAGE AUTHENTICATION A message digest does not authenticate the sender of the message. To provide message authentication, Alice needs to provide proof that it is Alice sending the message and not an impostor. The digest created by a cryptographic hash function is normally called a modification detection code (MDC). What we need for message authentication is a message authentication code (MAC).

41 11.41 A modification detection code (MDC) is a message digest that can prove the integrity of the message: that message has not been changed. If Alice needs to send a message to Bob and be sure that the message will not change during transmission, Alice can create a message digest, MDC, and send both the message and the MDC to Bob. Bob can create a new MDC from the message and compare the received MDC and the new MDC. If they are the same, the message has not been changed. 11.3.1 Modification Detection Code (MDC)

42 11.42 Figure 11.9 Modification detection code (MDC) 11.3.1 Modification Detection Code (MDC)

43 11.43 11.3.2 Message Authentication Code (MAC) Figure 11.10 Message authentication code Need to ensure the integrity of the message and the data origin authentication. The difference between a MDC and a MAC is that MAC includes a secret between Alice and Bob. MAC = h(K | M)

44 11.44 11.3.2 Message Authentication Code (MAC) Prefix MAC (the key appended to the beginning of the message) Postfix MAC (the key appended to the end of the message) We can combine the prefix and postfix MAC, with the same key or two different keys.

45 11.45 11.3.2 Message Authentication Code (MAC) Note that the security of a MAC depends on the security of the underlying hash algorithm. Security of a MAC Three possible cases of Eve forging a message: 1.Exhaustive search of key. 2.The preimage attack: Eve can find the key from the intercepted MAC (= h(K | M) ). (* Thus Eve can successfully replace the message with a forged one. *) 3. Given some pairs of messages and their MACs, Eve can manipulate them to come up with a new message and its MAC.

46 11.46 Nested MAC Figure 11.11 Nested MAC 11.3.2 Message Authentication Code (MAC) To improve the security of a MAC.

47 11.47 HMAC 11.3.2 Message Authentication Code (MAC) NIST has issued a standard (FIPS198) for a nested MAC that is referred to as HMAC (hashed MAC). 1.The message is divided into N blocks, each of b bits. 2.The secret key is left-padded with 0 ’s to create a b -bit key. Note that it is recommended that secret key (before padding) be longer than n bits, where n is the size of the HMAC. 3.The result of step 2 is XORed with a constant called ipad (input pad) to create a b -bit block. The value of ipad is the b/8 repetition of the sequence 00110110 (( 36 ) 16 ). 4.The resulting block is prepended to N -block message. 5.The result of step 4 is hashed to create an n -bit digest. We call the digest the intermediate HMAC.

48 11.48 HMAC (Continued) 11.3.2 Message Authentication Code (MAC) 6. The intermediate n -bit HMAC is left padded with 0 s to make a b -bit block. 7. Step 2 and 3 are repeated by a different constant opad (output pad). The value of opad is the b/8 repetition of the sequence 01011100 (( 5C ) 16 ). 8. The result of step 7 is prepended to the block of step 6. 9. The result of step 8 is hashed with the same hashing algorithm to create the final n -bit HMAC.

49 11.49 Figure 11.12 Details of HMAC 11.3.2 Message Authentication Code (MAC) HMAC (Continued) ( 5C5C5C5C5C5C5C5C ) 16 ( 3636363636363636 ) 16

50 11.50 CMAC 11.3.2 Message Authentication Code (MAC) NIST has also defined a standard (FIPS113) called Data Authentication Algorithm, or CMAC, or CBCMAC. The method is similar to CBC mode. However, the idea is to create one block of MAC from N blocks of plaintext, not to create N blocks of ciphertext from N blocks of plaintext. The message is divided into N blocks, each m bits long. The size of CMAC is n bits. If the last block is not m bits, it is padded with a 1 -bit followed by enough 0 -bits to make it m bits.

51 11.51 11.3.2 Message Authentication Code (MAC) The n leftmost bit from the last block is the CMAC. In addition to the symmetric key, K, CMAC also uses another key, k, which applied only at the last step. The result from the Encryption algorithm is multiplied by x if no padding is applied and is multiplied by x 2 if padding is applied. The multiplications is in GF ( 2 m ) with irreducible polynomial of degree m selected by the particular protocol used. CMAC (Continued)

52 11.52 Figure 11.13 CMAC 11.3.2 Message Authentication Code (MAC) CMAC (Continued)

Download ppt "11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11

Information Security and Management 11
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part I.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part I.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google