Unit 5
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Unit 5

on

  • 124 views

MAC , Hash function , MD5 , SHA-1, SHA-512 , HMAC

MAC , Hash function , MD5 , SHA-1, SHA-512 , HMAC

Statistics

Views

Total Views
124
Views on SlideShare
123
Embed Views
1

Actions

Likes
0
Downloads
6
Comments
0

1 Embed 1

http://www.chintanmefgi.blogspot.in 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Unit 5 Presentation Transcript

  • 1. Prof. Chintan Patel Information Security CE Department. Unit - 5 MEFGI , RAJKOT
  • 2. • Authentication Requirements • Authentication Functions • Message Authentication Code • Hash Function • Security of Hash function and MACs BOOK: Cryptography and N/W security by William stalling, 4th Edition. Chapter : 11, Message Authentication and Hash Function
  • 3. • Recall that the most important services of a cryptosystem are • Confidentiality : Eve does not get information about the message. • Data integrity : Eve cannot alter the message. • Authentication : Bob knows for sure that the message comes from Alice . • Non-repudiation : Bob can prove to a third party that the message comes from Alice. • So far we have looked at Confidentiality……Now let us see for other services….
  • 4. • Message authentication is concerned with:  protecting the integrity of a message  validating identity of originator  non-repudiation of origin (dispute resolution) • will consider the security requirements • then three alternative functions used:  message encryption  message authentication code (MAC)  hash function
  • 5. • Kind of attacks (threats) in the context of communications across a network 1. Disclosure 2. Traffic analysis 3. Masquerade 4. Content modification 5. Sequence modification 6. Timing modification 7. Repudiation • Measures to deal with first two attacks:  In the realm of message confidentiality, and are addressed with encryption • Measures to deal with items 3 thru 6  Message authentication • Measures to deal with items 7  Digital signature
  • 6. • Message authentication  A procedure to verify that messages come from the alleged source and have not been altered  Message authentication may also verify sequencing and timeliness • Digital signature  An authentication technique that also includes measures to counter repudiation by either source or destination
  • 7. • Message authentication or digital signature mechanism can be viewed as having two levels  At lower level: there must be some sort of functions producing an authenticator – a value to be used to authenticate a message  This lower level functions is used as primitive in a higher level authentication protocol
  • 8. • Three classes of functions that may be used to produce an authenticator  Message encryption  Cipher text itself serves as authenticator  Message authentication code (MAC)  A public function that takes variable length message and a secret key as input and produces an authentication code or value that serves as the authenticator  Hash function  A public function that maps a message of any length into a fixed-length hash value or message digest, which serves as the authenticator
  • 9. • Conventional encryption can serve as authenticator  Conventional encryption provides authentication as well as confidentiality  Requires recognizable plaintext or other structure to distinguish between well-formed legitimate plaintext and meaningless random bits  e.g., ASCII text, an appended checksum, or use of layered protocols
  • 10. Ways of Providing Structure • Append an error-detecting code (frame check sequence (FCS)) to each message
  • 11. Ways of Providing Structure - 2 • Suppose all the datagrams except the IP header is encrypted. • If an opponent substituted some arbitrary bit pattern for the encrypted TCP segment, the resulting plaintext would not include a meaningful header
  • 12. Confidentiality and Authentication Implications of Message Encryption
  • 13. • Uses a shared secret key to generate a fixed-size block of data (known as a cryptographic checksum or MAC) that is appended to the message • MAC = CK(M) • Assurances:  Message has not been altered  Message is from alleged sender  Message sequence is unaltered (requires internal sequencing) • Similar to encryption but MAC algorithm needs not be reversible
  • 14. Basic Uses of MAC
  • 15. Basic Uses of MAC
  • 16.  i.e., why not just use encryption? • Cleartext stays clear • MAC might be cheaper • Broadcast • Authentication of executable codes • Architectural flexibility • Separation of authentication check from message use
  • 17. “ Converts a variable size message M into fixed size hash code H(M) (Sometimes called a message digest) “ • usually assume that the hash function is public and not keyed  cf. MAC which is keyed • hash used to detect changes to message • can use in various ways with message • most often to create a digital signature
  • 18. • Can be used with encryption for authentication  E(M || H)  M || E(H)  M || signed H  E( M || signed H ) gives confidentiality  M || H( M || K )  E( M || H( M || K ) )
  • 19. Basic Uses of Hash Function
  • 20. Basic Uses of Hash Function
  • 21. • h = H(M) • M is a variable-length message, h is a fixed- length hash value, H is a hash function • The hash value is appended at the source • The receiver authenticates the message by recomputing the hash value • Because the hash function itself is not considered to be secret, some means is required to protect the hash value
  • 22. 1. H can be applied to any size data block 2. H produces fixed-length output 3. H(x) is relatively easy to compute for any given x 4. H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x) 5. H is weakly collision resistant: given x, it is computationally infeasible to find any y  x s.t. H(x) = H(y) 6. H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y)
  • 23. • One-way property is essential for authentication • Weak collision resistance is necessary to prevent forgery • Strong collision resistance is important for resistance to birthday attack
  • 24. • Operation of hash functions  The input is viewed as a sequence of n-bit blocks  The input is processed one block at a time in an iterative fashion to produce an n-bit hash function • Simplest hash function: Bitwise XOR of every block  Ci = bi1  bi2  …  bim  Ci = i-th bit of the hash code, 1  i  n  m = number of n-bit blocks in the input  bij = i-th bit in j-th block  Known as longitudinal redundancy check
  • 25. • Improvement over the simple bitwise XOR – Initially set the n-bit hash value to zero – Process each successive n-bit block of data as follows » Rotate the current hash value to the left by one bit » XOR the block into the hash value
  • 26. • If the adversary can generate 2m/2 variants of a valid message and an equal number of fraudulent messages • The two sets are compared to find one message from each set with a common hash value • The valid message is offered for signature • The fraudulent message with the same hash value is inserted in its place • If a 64-bit hash code is used, the level of effort is only on the order of 232 • Conclusion: the length of the hash code must be substantial
  • 27. Generating 2m/2 Variants of Valid Messages • Insert a number of “space-backspace-space” character pairs between words throughout the document. Variations could then be generated by substituting “space-backspace-space” in selected instances • Alternatively, simply reword the message but retain the meaning
  • 28. • Three desirable properties of hash functions  One-way: For any given code h, it is computationally infeasible to find x s.t. H(x) = h  Weak collision resistance: For any given block x, it is computationally infeasible to find y  x s.t. H(y) = H(x)  Strong collision resistance: It is computationally infeasible to find any pair (x, y) s.t. H(y) = H(x)
  • 29. • like block ciphers have: • brute-force attacks exploiting  strong collision resistance hash have cost 2 m/2  have proposal for h/w MD5 cracker  128-bit hash looks vulnerable, 160-bits better  MACs with known message-MAC pairs  can either attack keyspace (cf key search) or MAC  at least 128-bit MAC is needed for security
  • 30. • Introduction • MD5 Algorithm Structure • Implementation Steps • MD5 vs. MD4
  • 31. • MD5 algorithm was developed by Professor Ronald L. Rivest in 1991. • According to RFC 1321, “MD5 message-digest algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. • The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.”
  • 32. • Step1 : Append padding bits • The input message is "padded" (extended) so that its length (in bits) equals to 448 mod 512. Padding is always performed, even if the length of the message is already 448 mod 512. • Padding is performed as follows: a single "1" bit is appended to the message, and then "0" bits are appended so that the length in bits of the padded message becomes congruent to 448 mod 512. At least one bit and at most 512 bits are appended.
  • 33. • Step2 : Append length • A 64-bit representation of the length of the message is appended to the result of step1. If the length of the message is greater than 2^64, only the low-order 64 bits will be used. The resulting message (after padding with bits and with b) has a length that is an exact multiple of 512 bits. The input message will have a length that is an exact multiple of 16 (32-bit) words.
  • 34. • Step3. Initialize MD buffer A four-word buffer (A, B, C, D) is used to compute the message digest. Each of A, B, C, D is a 32-bit register. These registers are initialized to the following values in hexadecimal, low-order bytes first): word A: 01 23 45 67 word B: 89 ab cd ef word C: fe dc ba 98 word D: 76 54 32 10
  • 35. • Step4 : Process message in 16-word blocks Four functions will be defined such that each function takes an input of three 32-bit words and produces a 32-bit word output. F (X, Y, Z) = XY or not (X) Z G (X, Y, Z) = XZ or Y not (Z) H (X, Y, Z) = X xor Y xor Z I (X, Y, Z) = Y xor (X or not (Z))
  • 36. • Step 4 – Process message in 16-word blocks cont. • if the bits of X, Y, and Z are independent and unbiased, the each bit of F(X,Y,Z), G(X,Y,Z), H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased.
  • 37. • • Step 5 – output • The message digest produced as output is A, B, C, D. • That is, output begins with the low-order byte of A, and end with the high-order byte of D.
  • 38. • One MD5 operation. MD5 consists of 64 of these operations, grouped in four rounds of 16 operations. • F is a nonlinear function; one function is used in each round. Mi denotes a 32- bit block of the message input, and Ki denotes a 32-bit constant, different for each operation.
  • 39. Round 1. [abcd k s i] denote the operation a = b + ((a + F (b, c, d) + X [k] + T [i]) <<< s). Do the following 16 operations. [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4] [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8] [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12] [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]
  • 40. • Comparing to other digest algorithms, MD5 is simple to implement, and provides a "fingerprint" or message digest of a message of arbitrary length. • It performs very fast on 32-bit machine. • MD5 is being used heavily from large corporations, such as IBM, Cisco Systems, to individual programmers. • MD5 is considered one of the most efficient algorithms currently available.
  • 41. Authentication Requirements: • Masquerade – Insertion of message from fraudulent source • Content Modification – Changing content of message • Sequence Modification – Insertion, deletion and reordering sequence • Timing Modification – Replaying valid sessions
  • 42. • Message Digest or “Fingerprint” → Compressed Representation → Easy to generate for a given file. • Computationally infeasible to produce two messages with same message digest • Impossible to recreate a message given a message digest. • Data Integrity and Comparison Checking → Message Integrity Validation
  • 43. • Public Key Algorithms – Password Logins – Encryption Key Management – Digital Signatures • Integrity Checking – Virus and Malware Scanning • Authentication – Secure Web Connections • (PGP, SSL, SSH, S/MIME)
  • 44.  SHA originally designed by NIST & NSA in 1993  was revised in 1995 as SHA-1  US standard for use with DSA signature scheme  standard is 180-1 1995, also Internet RFC3174  the algorithm is SHA, the standard is SHS  based on design of MD5 with key differences  produces 160-bit hash values  recent 2005 results on security of SHA-1 have raised concerns on its use in future applications
  • 45. SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 Message digest size 160 224 256 384 512 Message size <264 < 264 < 264 < 2128 < 2128 Block size 512 512 512 1024 1024 Word size 32 32 32 64 64 Number of steps 80 64 64 80 80
  • 46.  Step 1: Append Padding Bits…. Message is “padded” with a 1 and as many 0’s as necessary to bring the message length to 64 bits fewer than an even multiple of 512.  Step 2: Append Length.... 64 bits are appended to the end of the padded message. These bits hold the binary format of 64 bits indicating the length of the original message.
  • 47.  Step 3: Prepare Processing Functions…. SHA1 requires 80 processing functions defined as: f(t;B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19) f(t;B,C,D) = B XOR C XOR D (20 <= t <= 39) f(t;B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <=59) f(t;B,C,D) = B XOR C XOR D (60 <= t <= 79)  Step 4: Prepare Processing Constants.... SHA1 requires 80 processing constant words defined as: K(t) = 0x5A827999 ( 0 <= t <= 19) K(t) = 0x6ED9EBA1 (20 <= t <= 39) K(t) = 0x8F1BBCDC (40 <= t <= 59) K(t) = 0xCA62C1D6 (60 <= t <= 79)
  • 48.  Step 5: Initialize Buffers…. SHA1 requires 160 bits or 5 buffers of words (32 bits): H0 = 0x67452301 H1 = 0xEFCDAB89 H2 = 0x98BADCFE H3 = 0x10325476 H4 = 0xC3D2E1F0
  • 49.  Step 6: Processing Message in 512-bit blocks (L blocks in total message)…. This is the main task of SHA1 algorithm which loops through the padded and appended message in 512-bit blocks. Input and predefined functions: M[1, 2, ..., L]: Blocks of the padded and appended message f(0;B,C,D), f(1,B,C,D), ..., f(79,B,C,D): 80 Processing Functions K(0), K(1), ..., K(79): 80 Processing Constant Words H0, H1, H2, H3, H4, H5: 5 Word buffers with initial values
  • 50.  Step 6: Pseudo Code…. For loop on k = 1 to L (W(0),W(1),...,W(15)) = M[k] /* Divide M[k] into 16 words */ For t = 16 to 79 do: W(t) = (W(t-3) XOR W(t-8) XOR W(t-14) XOR W(t-16)) <<< 1 A = H0, B = H1, C = H2, D = H3, E = H4 For t = 0 to 79 do: TEMP = A<<<5 + f(t;B,C,D) + E + W(t) + K(t) E = D, D = C, C = B<<<30, B = A, A = TEMP End of for loop H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4 + E End of for loop Output: H0, H1, H2, H3, H4, H5: Word buffers with final message digest
  • 51. • a = 6A09E667F3BCC908 • b = BB67AE8584CAA73B • c = 3C6EF372FE94F82B • d = A54FF53A5F1D36F1 • e = 510E527FADE682D1 • f = 9B05688C2B3E6C1F • g = 1F83D9ABFB41BD6B • h = 5BE0CDI9137E2179
  • 52. • HMAC stands for Hash-based Message Authentication Code • It used to verify data integrity and authenticity of a message • It uses current cryptographic hash functions with a secret key (SHA or MD5)  The name of the function changes depending on what hash function you use  MD5 would result to HMAC-MD5  SHA# would result to HMAC-SHA#
  • 53. • The strength of HMAC relies on the strength of the HASH used and the Quality of the key • The outputted size is the same as the hash function  128-bit or 160-bit with SHA-1 or MD5
  • 54. • Some terms to help out with the next slide:  H = hash function  K = key  M = message  || = concatenation  XOR = XOR  o_key_pad = outer padding (one block long 0x36)  i_key_pad = inner padding (one block long 0x5c) • In short: HMAC(k,m) = H((k XOR o_key_pad) || H((k XOR i_key_pad) || m))
  • 55. Function hmac (k, m) if(length(k) > blocksize) then k = hash(k) endif if (length(k) < blocksize) then k = k || (0x00 * (blocksize – length(k))) endif o_key_pad = (0x5c * blocksize) XOR k i_key_pad = (0x36 * blocksize) XOR k return hash(o_key_pad || hash(i_key_pad || m)) End Function
  • 56. • Using MD5 as the hashing function in HMAC does not seem to compromise the function in regards to the MD5 weaknesses. • Although SHA is much stronger, MD5 is best for performance if it is needed. • The most common attack against HMAC is brute force to get the secret key. • HMAC is substantially less affected by collisions than the hashing functions by itself.
  • 57. • A key can be of any length  However it is discouraged to be less than the length of the byte-length of the hash outputs  (16 for MD5, and 20 for SHA) • Keys need to be chosen at random  Long key length may be advisable if the randomness of the key is weak • Use a cryptographically strong pseudo-random generated with a random seed that is refreshed  This is generally a good security practice, and will limit the damage to keys and functions
  • 58. Thank You and Have a Nice Day !