Prof. Chintan Patel Information Security
CE Department. Unit - 5
MEFGI , RAJKOT
• Authentication Requirements
• Authentication Functions
• Message Authentication Code
• Hash Function
• Security of Hash function and MACs
BOOK: Cryptography and N/W security by William stalling, 4th Edition.
Chapter : 11, Message Authentication and Hash Function
• Recall that the most important services of a cryptosystem
are
• Confidentiality : Eve does not get information about the message.
• Data integrity : Eve cannot alter the message.
• Authentication : Bob knows for sure that the message comes from
Alice .
• Non-repudiation : Bob can prove to a third party that the message
comes from Alice.
• So far we have looked at Confidentiality……Now let us see for other
services….
• Message authentication is concerned with:
protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)
• will consider the security requirements
• then three alternative functions used:
message encryption
message authentication code (MAC)
hash function
• Kind of attacks (threats) in the context of communications
across a network
1. Disclosure
2. Traffic analysis
3. Masquerade
4. Content modification
5. Sequence modification
6. Timing modification
7. Repudiation
• Measures to deal with first two attacks:
In the realm of message confidentiality, and are addressed with
encryption
• Measures to deal with items 3 thru 6
Message authentication
• Measures to deal with items 7
Digital signature
• Message authentication
A procedure to verify that messages come from the
alleged source and have not been altered
Message authentication may also verify sequencing and
timeliness
• Digital signature
An authentication technique that also includes measures
to counter repudiation by either source or destination
• Message authentication or digital signature mechanism
can be viewed as having two levels
At lower level: there must be some sort of functions producing
an authenticator – a value to be used to authenticate a message
This lower level functions is used as primitive in a higher level
authentication protocol
• Three classes of functions that may be used to produce
an authenticator
Message encryption
Cipher text itself serves as authenticator
Message authentication code (MAC)
A public function that takes variable length message and
a secret key as input and produces an authentication
code or value that serves as the authenticator
Hash function
A public function that maps a message of any length into
a fixed-length hash value or message digest, which
serves as the authenticator
• Conventional encryption can serve as
authenticator
Conventional encryption provides authentication as
well as confidentiality
Requires recognizable plaintext or other structure to
distinguish between well-formed legitimate plaintext
and meaningless random bits
e.g., ASCII text, an appended checksum, or use of layered
protocols
Ways of Providing Structure
• Append an error-detecting code (frame check
sequence (FCS)) to each message
Ways of Providing Structure - 2
• Suppose all the datagrams except the IP header is
encrypted.
• If an opponent substituted some arbitrary bit pattern for
the encrypted TCP segment, the resulting plaintext
would not include a meaningful header
Confidentiality and Authentication Implications of
Message Encryption
• Uses a shared secret key to generate a fixed-size block
of data (known as a cryptographic checksum or MAC)
that is appended to the message
• MAC = CK(M)
• Assurances:
Message has not been altered
Message is from alleged sender
Message sequence is unaltered (requires internal
sequencing)
• Similar to encryption but MAC algorithm needs not be
reversible
Basic Uses of MAC
Basic Uses of MAC
i.e., why not just use encryption?
• Cleartext stays clear
• MAC might be cheaper
• Broadcast
• Authentication of executable codes
• Architectural flexibility
• Separation of authentication check from
message use
“ Converts a variable size message M into
fixed size hash code H(M) (Sometimes
called a message digest) “
• usually assume that the hash function is public
and not keyed
cf. MAC which is keyed
• hash used to detect changes to message
• can use in various ways with message
• most often to create a digital signature
• Can be used with encryption for
authentication
E(M || H)
M || E(H)
M || signed H
E( M || signed H ) gives confidentiality
M || H( M || K )
E( M || H( M || K ) )
Basic Uses of Hash Function
Basic Uses of Hash Function
• h = H(M)
• M is a variable-length message, h is a fixed-
length hash value, H is a hash function
• The hash value is appended at the source
• The receiver authenticates the message by
recomputing the hash value
• Because the hash function itself is not
considered to be secret, some means is required
to protect the hash value
1. H can be applied to any size data block
2. H produces fixed-length output
3. H(x) is relatively easy to compute for any given x
4. H is one-way, i.e., given h, it is computationally
infeasible to find any x s.t. h = H(x)
5. H is weakly collision resistant: given x, it is
computationally infeasible to find any y x s.t. H(x) =
H(y)
6. H is strongly collision resistant: it is computationally
infeasible to find any x and y s.t. H(x) = H(y)
• One-way property is essential for
authentication
• Weak collision resistance is necessary to
prevent forgery
• Strong collision resistance is important for
resistance to birthday attack
• Operation of hash functions
The input is viewed as a sequence of n-bit blocks
The input is processed one block at a time in an iterative fashion to
produce an n-bit hash function
• Simplest hash function: Bitwise XOR of every block
Ci = bi1 bi2 … bim
Ci = i-th bit of the hash code, 1 i n
m = number of n-bit blocks in the input
bij = i-th bit in j-th block
Known as longitudinal redundancy check
• Improvement over the simple
bitwise XOR
– Initially set the n-bit hash value to zero
– Process each successive n-bit block of data as
follows
» Rotate the current hash value to the left by
one bit
» XOR the block into the hash value
• If the adversary can generate 2m/2 variants of a valid
message and an equal number of fraudulent messages
• The two sets are compared to find one message from
each set with a common hash value
• The valid message is offered for signature
• The fraudulent message with the same hash value is
inserted in its place
• If a 64-bit hash code is used, the level of effort is only
on the order of 232
• Conclusion: the length of the hash code must be
substantial
Generating 2m/2 Variants of Valid
Messages
• Insert a number of
“space-backspace-space”
character pairs between
words throughout the
document.
Variations could then be
generated by substituting
“space-backspace-space”
in selected instances
• Alternatively, simply
reword the message but
retain the meaning
• Three desirable properties of hash functions
One-way: For any given code h, it is
computationally infeasible to find x s.t. H(x) = h
Weak collision resistance: For any given block x,
it is computationally infeasible to find y x s.t.
H(y) = H(x)
Strong collision resistance: It is computationally
infeasible to find any pair (x, y) s.t. H(y) = H(x)
• like block ciphers have:
• brute-force attacks exploiting
strong collision resistance hash have cost 2
m/2
have proposal for h/w MD5 cracker
128-bit hash looks vulnerable, 160-bits better
MACs with known message-MAC pairs
can either attack keyspace (cf key search) or MAC
at least 128-bit MAC is needed for security
• MD5 algorithm was developed by Professor Ronald L.
Rivest in 1991.
• According to RFC 1321, “MD5 message-digest algorithm
takes as input a message of arbitrary length and
produces as output a 128-bit "fingerprint" or
"message digest" of the input.
• The MD5 algorithm is intended for digital signature
applications, where a large file must be "compressed" in
a secure manner before being encrypted with a private
(secret) key under a public-key cryptosystem such as
RSA.”
• Step1 : Append padding bits
• The input message is "padded" (extended) so that its
length (in bits) equals to 448 mod 512. Padding is always
performed, even if the length of the message is already
448 mod 512.
•
Padding is performed as follows: a single "1" bit is
appended to the message, and then "0" bits are
appended so that the length in bits of the padded
message becomes congruent to 448 mod 512. At least
one bit and at most 512 bits are appended.
• Step2 : Append length
• A 64-bit representation of the length of the message
is appended to the result of step1. If the length of the
message is greater than 2^64, only the low-order 64 bits
will be used.
The resulting message (after padding with bits and
with b) has a length that is an exact multiple of 512
bits. The input message will have a length that is an exact
multiple of 16 (32-bit) words.
• Step3. Initialize MD buffer
A four-word buffer (A, B, C, D) is used to compute the
message digest. Each of A, B, C, D is a 32-bit register.
These registers are initialized to the following values in
hexadecimal, low-order bytes first):
word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10
• Step4 : Process message in 16-word blocks
Four functions will be defined such that each function
takes an input of three 32-bit words and produces a
32-bit word output.
F (X, Y, Z) = XY or not (X) Z
G (X, Y, Z) = XZ or Y not (Z)
H (X, Y, Z) = X xor Y xor Z
I (X, Y, Z) = Y xor (X or not (Z))
• Step 4 – Process message in 16-word blocks cont.
• if the bits of X, Y, and Z are independent and
unbiased, the each bit of F(X,Y,Z), G(X,Y,Z),
H(X,Y,Z), and I(X,Y,Z) will be independent and
unbiased.
• • Step 5 – output
• The message digest produced as output is A, B, C, D.
• That is, output begins with the low-order byte of A, and
end with the high-order byte of D.
• One MD5 operation. MD5 consists of 64 of these
operations, grouped in four rounds of 16
operations.
• F is a nonlinear function; one function is used in
each round. Mi denotes a 32- bit block of the
message input, and Ki denotes a 32-bit constant,
different for each operation.
Round 1.
[abcd k s i] denote the operation a = b + ((a + F (b, c, d) + X
[k] + T [i]) <<< s).
Do the following 16 operations.
[ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4]
[ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8]
[ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12]
[ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]
• Comparing to other digest algorithms, MD5 is simple to
implement, and provides a "fingerprint" or message
digest of a message of arbitrary length.
• It performs very fast on 32-bit machine.
• MD5 is being used heavily from large corporations, such
as IBM, Cisco Systems, to individual programmers.
• MD5 is considered one of the most efficient algorithms
currently available.
Authentication Requirements:
• Masquerade – Insertion of message from fraudulent
source
• Content Modification – Changing content of message
• Sequence Modification – Insertion, deletion and
reordering sequence
• Timing Modification – Replaying valid sessions
• Message Digest or “Fingerprint”
→ Compressed Representation
→ Easy to generate for a given file.
• Computationally infeasible to produce two
messages with same message digest
• Impossible to recreate a message given a message
digest.
• Data Integrity and Comparison Checking
→ Message Integrity Validation
• Public Key Algorithms
– Password Logins
– Encryption Key Management
– Digital Signatures
• Integrity Checking
– Virus and Malware Scanning
• Authentication
– Secure Web Connections
• (PGP, SSL, SSH, S/MIME)
SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1
US standard for use with DSA signature scheme
standard is 180-1 1995, also Internet RFC3174
the algorithm is SHA, the standard is SHS
based on design of MD5 with key differences
produces 160-bit hash values
recent 2005 results on security of SHA-1 have
raised concerns on its use in future applications
Step 1: Append Padding Bits….
Message is “padded” with a 1 and as many 0’s as necessary
to bring the message length to 64 bits fewer than an even
multiple of 512.
Step 2: Append Length....
64 bits are appended to the end of the padded message. These bits hold
the binary format of 64 bits indicating the length of the original
message.
Step 3: Prepare Processing Functions….
SHA1 requires 80 processing functions defined as:
f(t;B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19)
f(t;B,C,D) = B XOR C XOR D (20 <= t <= 39)
f(t;B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <=59)
f(t;B,C,D) = B XOR C XOR D (60 <= t <= 79)
Step 4: Prepare Processing Constants....
SHA1 requires 80 processing constant words defined as:
K(t) = 0x5A827999 ( 0 <= t <= 19)
K(t) = 0x6ED9EBA1 (20 <= t <= 39)
K(t) = 0x8F1BBCDC (40 <= t <= 59)
K(t) = 0xCA62C1D6 (60 <= t <= 79)
Step 6: Processing Message in 512-bit blocks (L
blocks in total message)….
This is the main task of SHA1 algorithm which loops through the
padded and appended message in 512-bit blocks.
Input and predefined functions:
M[1, 2, ..., L]: Blocks of the padded and appended message
f(0;B,C,D), f(1,B,C,D), ..., f(79,B,C,D): 80 Processing Functions K(0),
K(1), ..., K(79): 80 Processing Constant Words
H0, H1, H2, H3, H4, H5: 5 Word buffers with initial values
Step 6: Pseudo Code….
For loop on k = 1 to L
(W(0),W(1),...,W(15)) = M[k] /* Divide M[k] into 16 words */
For t = 16 to 79 do:
W(t) = (W(t-3) XOR W(t-8) XOR W(t-14) XOR W(t-16)) <<< 1
A = H0, B = H1, C = H2, D = H3, E = H4
For t = 0 to 79 do:
TEMP = A<<<5 + f(t;B,C,D) + E + W(t) + K(t) E = D, D = C,
C = B<<<30, B = A, A = TEMP
End of for loop
H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4 + E
End of for loop
Output:
H0, H1, H2, H3, H4, H5: Word buffers with final message digest
• a = 6A09E667F3BCC908
• b = BB67AE8584CAA73B
• c = 3C6EF372FE94F82B
• d = A54FF53A5F1D36F1
• e = 510E527FADE682D1
• f = 9B05688C2B3E6C1F
• g = 1F83D9ABFB41BD6B
• h = 5BE0CDI9137E2179
• HMAC stands for Hash-based Message
Authentication Code
• It used to verify data integrity and authenticity of
a message
• It uses current cryptographic hash functions with
a secret key (SHA or MD5)
The name of the function changes depending on what
hash function you use
MD5 would result to HMAC-MD5
SHA# would result to HMAC-SHA#
• The strength of HMAC relies on the strength of
the HASH used and the Quality of the key
• The outputted size is the same as the hash
function
128-bit or 160-bit with SHA-1 or MD5
• Some terms to help out with the next slide:
H = hash function
K = key
M = message
|| = concatenation
XOR = XOR
o_key_pad = outer padding (one block long 0x36)
i_key_pad = inner padding (one block long 0x5c)
• In short:
HMAC(k,m) = H((k XOR o_key_pad) || H((k XOR
i_key_pad) || m))
Function hmac (k, m)
if(length(k) > blocksize) then
k = hash(k)
endif
if (length(k) < blocksize) then
k = k || (0x00 * (blocksize – length(k)))
endif
o_key_pad = (0x5c * blocksize) XOR k
i_key_pad = (0x36 * blocksize) XOR k
return hash(o_key_pad || hash(i_key_pad || m))
End Function
• Using MD5 as the hashing function in HMAC does
not seem to compromise the function in regards
to the MD5 weaknesses.
• Although SHA is much stronger, MD5 is best for
performance if it is needed.
• The most common attack against HMAC is brute
force to get the secret key.
• HMAC is substantially less affected by collisions
than the hashing functions by itself.
• A key can be of any length
However it is discouraged to be less than the length of
the byte-length of the hash outputs
(16 for MD5, and 20 for SHA)
• Keys need to be chosen at random
Long key length may be advisable if the randomness of
the key is weak
• Use a cryptographically strong pseudo-random
generated with a random seed that is refreshed
This is generally a good security practice, and will limit
the damage to keys and functions
Be the first to comment