Your SlideShare is downloading. ×
0
Message Authentication
Message authentication <ul><li>Procedure to verify that </li></ul><ul><ul><li>Recvd message is from alleged source </li></...
Authentication functions <ul><li>Lower level function </li></ul><ul><ul><li>Authenticator or value  </li></ul></ul><ul><li...
 
 
Message Authentication codes  ( MAC) <ul><li>MAC also known as cryptographic checksum </li></ul><ul><ul><li>MAC = C k (M) ...
 
MAC attacks <ul><li>In encryption </li></ul><ul><ul><li>security depends on length of key </li></ul></ul><ul><ul><li>brute...
MAC attack to find Key <ul><li>Round 1:  </li></ul><ul><ul><li>given M1, MAC1 = C k (M1) </li></ul></ul><ul><ul><li>Comput...
Mac attack without finding key <ul><li>Mac algo </li></ul><ul><ul><li>M = X1||X2||…||Xm --   Xi = 64 bit blocks </li></ul...
MAC requirements <ul><li>Knowing M and Ck(M) it should not be possible to make M’-> Ck(M’) = Ck(M) </li></ul><ul><li>For a...
MAC based on DES
HASH functions <ul><li>h = H(M) </li></ul><ul><ul><li>M = variable length message </li></ul></ul><ul><ul><li>H(M) is fixed...
Requirements of Hash function <ul><li>Applied on any length of block of data </li></ul><ul><li>Output fixed length </li></...
 
 
What is Birthday attack? <ul><li>Derived from &quot;birthday paradox“ </li></ul><ul><ul><li>A lthough there are 365 days i...
Birthday Attack <ul><li>A class of attacks against cryptographic functions </li></ul><ul><ul><li>including both encryption...
More on Birthday attacker <ul><li>Birthday attacks enable an  attacker  to find two inputs for which a cryptographic /hash...
MD5
MD5 processing steps <ul><li>Step 1: Appending padding bits </li></ul><ul><ul><li>To ensure each block size is 512 bit </l...
 
Step 4 <ul><li>Four rounds </li></ul><ul><li>16 steps in each round </li></ul><ul><li>Details of each round </li></ul><ul>...
 
 
SHA-1
SHA-1 processing steps <ul><li>Step 1: Appending padding bits </li></ul><ul><ul><li>To ensure each block size is 512 bit <...
 
 
 
Upcoming SlideShare
Loading in...5
×

Message Authentication

1,427

Published on

Unit 5 Of ACN

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,427
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Message Authentication"

  1. 1. Message Authentication
  2. 2. Message authentication <ul><li>Procedure to verify that </li></ul><ul><ul><li>Recvd message is from alleged source </li></ul></ul><ul><ul><li>Message has not been altered </li></ul></ul><ul><ul><li>There is no change in message sequence </li></ul></ul><ul><ul><li>message is not delayed or a replay </li></ul></ul><ul><li>Includes mechanism for non-repudiation by source </li></ul>
  3. 3. Authentication functions <ul><li>Lower level function </li></ul><ul><ul><li>Authenticator or value </li></ul></ul><ul><li>Higher level function </li></ul><ul><ul><li>Use authenticator to verify authenticity of message </li></ul></ul><ul><li>Functions to produce authenticator </li></ul><ul><ul><li>Message encryption </li></ul></ul><ul><ul><ul><li>cirhertext </li></ul></ul></ul><ul><ul><li>Message authentication code ( MAC) </li></ul></ul><ul><ul><ul><li>F(K,M) -> fixed length value </li></ul></ul></ul><ul><ul><li>Hash Function </li></ul></ul><ul><ul><ul><li>Mapping of message -> fixed length value </li></ul></ul></ul>
  4. 6. Message Authentication codes ( MAC) <ul><li>MAC also known as cryptographic checksum </li></ul><ul><ul><li>MAC = C k (M) </li></ul></ul><ul><ul><li>M : variable length message </li></ul></ul><ul><ul><li>K : Shared key between sender and receiver </li></ul></ul><ul><ul><li>C k (M) : Fixed length authenticator </li></ul></ul><ul><li>MAC is appended to the message at src </li></ul><ul><li>Receiver verifies by re-computing MAC </li></ul>
  5. 8. MAC attacks <ul><li>In encryption </li></ul><ul><ul><li>security depends on length of key </li></ul></ul><ul><ul><li>brute force attack requires 2 k-1 combinations of k bit key </li></ul></ul><ul><li>Mac is many to one function </li></ul><ul><li>Known M1 and MAC1 </li></ul><ul><li>If k > n ( length of MAC) </li></ul><ul><ul><li>Brute force attack can result in 2 k-n matches </li></ul></ul><ul><ul><li>==  C k-n (M1) = MAC1 </li></ul></ul>
  6. 9. MAC attack to find Key <ul><li>Round 1: </li></ul><ul><ul><li>given M1, MAC1 = C k (M1) </li></ul></ul><ul><ul><li>Compute MAC i = Ck i (M i ) for all 2 k keys </li></ul></ul><ul><ul><li>Number of matches ~ 2 k-n </li></ul></ul><ul><li>Round 2: </li></ul><ul><ul><li>given M2, MAC2 = C k (M2) </li></ul></ul><ul><ul><li>Compute MAC i = Ck i (M i ) for all 2 k-n keys </li></ul></ul><ul><ul><li>Number of matches ~ 2 k-2n </li></ul></ul><ul><li>And so on……. </li></ul><ul><li>Brute force over many rounds </li></ul>
  7. 10. Mac attack without finding key <ul><li>Mac algo </li></ul><ul><ul><li>M = X1||X2||…||Xm --  Xi = 64 bit blocks </li></ul></ul><ul><ul><li> M = X1  X2  ….  Xm </li></ul></ul><ul><ul><li>C k (M) = E k (  M) encryption by DES ECB </li></ul></ul><ul><li>Attack </li></ul><ul><ul><li>Replace X1..Xm-1 by Y1..Ym-1 </li></ul></ul><ul><ul><li>Ym = Y1  Y2  ….  Ym-1  M </li></ul></ul><ul><li>Attacker inserts new message which will be authenticated correctly by receiver </li></ul>
  8. 11. MAC requirements <ul><li>Knowing M and Ck(M) it should not be possible to make M’-> Ck(M’) = Ck(M) </li></ul><ul><li>For any random M, M’; Pr[Ck(M) =Ck(M’)] should be 2 -n for n MAC bits </li></ul><ul><li>If M’ = f(M); Pr[Ck(M) =Ck(M’)] should be 2 -n </li></ul>
  9. 12. MAC based on DES
  10. 13. HASH functions <ul><li>h = H(M) </li></ul><ul><ul><li>M = variable length message </li></ul></ul><ul><ul><li>H(M) is fixed length hash value </li></ul></ul><ul><ul><li>Hash is appended to M by sender </li></ul></ul><ul><ul><li>Receiver re-computes hash to verify M </li></ul></ul>
  11. 14. Requirements of Hash function <ul><li>Applied on any length of block of data </li></ul><ul><li>Output fixed length </li></ul><ul><li>H(x) easy to compute </li></ul><ul><li>H(x) should exhibit one way property </li></ul><ul><li>For given x, infeasible to find y!=x with H(y) = H(x): weak collision resistance </li></ul><ul><li>Infeasible to find any pair (x,y) such that H(y) = H(x) </li></ul>
  12. 17. What is Birthday attack? <ul><li>Derived from &quot;birthday paradox“ </li></ul><ul><ul><li>A lthough there are 365 days in a year </li></ul></ul><ul><ul><li>T he probability is greater than 1/2 that </li></ul></ul><ul><ul><li>T wo of more people share the same birthday in any randomly chosen group of 23 people. </li></ul></ul>
  13. 18. Birthday Attack <ul><li>A class of attacks against cryptographic functions </li></ul><ul><ul><li>including both encryption functions and hash functions. </li></ul></ul><ul><ul><li>The attacks take advantage of a statistical property: </li></ul></ul><ul><ul><ul><li>Given a cryptographic function having an N-bit output </li></ul></ul></ul><ul><ul><ul><li>for 2 N/2 randomly chosen inputs </li></ul></ul></ul><ul><ul><ul><li>the function will produce at least two outputs that are identical </li></ul></ul></ul><ul><ul><ul><li>With a probability greater than1/2 </li></ul></ul></ul>
  14. 19. More on Birthday attacker <ul><li>Birthday attacks enable an attacker to find two inputs for which a cryptographic /hash function produces the same cipher text </li></ul><ul><ul><li>M uch faster than a brute-force attack can </li></ul></ul><ul><ul><li>N o birthday attack can enable an a ttacker </li></ul></ul><ul><ul><ul><li>T o decrypt a given cipher text or find a hash input that results in a given hash result </li></ul></ul></ul><ul><ul><ul><li>any faster than a brute-force attack can. </li></ul></ul></ul>
  15. 20. MD5
  16. 21. MD5 processing steps <ul><li>Step 1: Appending padding bits </li></ul><ul><ul><li>To ensure each block size is 512 bit </li></ul></ul><ul><ul><li>Min 1 bit to max 512 bit padding </li></ul></ul><ul><ul><li>Padding bits : 10000….. </li></ul></ul><ul><ul><li>(Msg + pad bits + 64 bit for length) = n x 512 </li></ul></ul><ul><li>Step 2: Append length </li></ul><ul><ul><li>64 bit long filed for length of message </li></ul></ul><ul><li>Step 3: Initialize MD buffer </li></ul><ul><ul><li>A,B,C,D buffers of 32 bit size each </li></ul></ul><ul><li>Step 4: Process message in 512-bit blocks </li></ul><ul><ul><li>16 words of 32 bit each </li></ul></ul><ul><li>Step 5: output 128 bit ( also fed back to input) </li></ul>
  17. 23. Step 4 <ul><li>Four rounds </li></ul><ul><li>16 steps in each round </li></ul><ul><li>Details of each round </li></ul><ul><ul><li>Inputs </li></ul></ul><ul><ul><ul><li>A,B,C,D ( 32 bits each) </li></ul></ul></ul><ul><ul><ul><li>512 bit block Message ( 16 x 32) </li></ul></ul></ul><ul><ul><ul><li>T[ i ] 32 bit array of cont from sin value </li></ul></ul></ul><ul><ul><li>Processing </li></ul></ul><ul><ul><ul><li>F,G,H &I functions in each round </li></ul></ul></ul><ul><ul><li>Output </li></ul></ul><ul><ul><ul><li>A,B,C,D </li></ul></ul></ul>
  18. 26. SHA-1
  19. 27. SHA-1 processing steps <ul><li>Step 1: Appending padding bits </li></ul><ul><ul><li>To ensure each block size is 512 bit </li></ul></ul><ul><ul><li>Min 1 bit to max 512 bit padding </li></ul></ul><ul><ul><li>Padding bits : 10000….. </li></ul></ul><ul><ul><li>(Msg + pad bits + 64 bit for length) = n x 512 </li></ul></ul><ul><li>Step 2: Append length </li></ul><ul><ul><li>64 bit long filed for length of message </li></ul></ul><ul><li>Step 3: Initialize MD buffer </li></ul><ul><ul><li>A,B,C,D,E buffers of 32 bit size each </li></ul></ul><ul><li>Step 4: Process message in 512-bit blocks </li></ul><ul><ul><li>20 words of 32 bit each </li></ul></ul><ul><li>Step 5: output 128 bit ( also fed back to input) </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×