Is unit 5_message authentication and hash functions

  • 568 views
Uploaded on

 

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
568
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
60
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Chapter 5:Chapter 5:Chapter 5:Chapter 5:----Message Authentication andHash FunctionsSarthak Patel, (www.sarthakpatel.in)
  • 2. OutlineAuthentication Requirement,Functions, MessageAuthentication Code, Hash Functions,Security Of Hash Functions And MacsMD5 Message Digest Algorithm,Secure HashAlgorithmSarthak Patel (www.sarthakpatel.in)2Secure HashAlgorithmRipemd-160Hmac
  • 3. Authentication Requirements1. Disclosure: Release of message contents to any person or process notpossessing the appropriate cryptographic key.2. Traffic analysis: Discovery of the pattern of traffic between parties.In a connection-oriented application, the frequency and duration ofconnections could be determined. In either a connection-oriented orconnectionless environment, the number and length of messagesSarthak Patel (www.sarthakpatel.in)3connectionless environment, the number and length of messagesbetween parties could be determined.3. Masquerade: Insertion of messages into the network from afraudulent source. This includes the creation of messages by anopponent that are supposed to come from an authorized entity. Alsoincluded are fraudulent acknowledgments of message receipt ornonreceipt by someone other than the message recipient.
  • 4. Contd…4. Content modification: Changes to the contents of a message,including insertion, deletion, transposition, and modification.5. Sequence modification: Any modification to a sequence ofmessages between parties, including insertion, deletion, andreordering.Sarthak Patel (www.sarthakpatel.in)46. Timing modification: Delay or replay of messages. In aconnection-oriented application, an entire session or sequenceof messages could be a replay of some previous valid session, orindividual messages in the sequence could be delayed orreplayed. In a connectionless application, an individual message(e.g., datagram) could be delayed or replayed.
  • 5. Contd…7. Source repudiation: Denial of transmission of message bysource.8. Destination repudiation: Denial of receipt of message bydestination.Sarthak Patel (www.sarthakpatel.in)5
  • 6. Message Authentication Functionmessage authentication is concerned with:protecting the integrity of a messagevalidating identity of originatornon-repudiation of origin (dispute resolution)Sarthak Patel (www.sarthakpatel.in)6three alternative functions used:message encryptionmessage authentication code (MAC)hash function
  • 7. Message Encryptionmessage encryption by itself also provides a measure ofauthenticationif symmetric encryption is used then:receiver know sender must have created itsince only sender and receiver now key usedSarthak Patel (www.sarthakpatel.in)7since only sender and receiver now key usedSo, content cannot of been alteredProvides both: sender authentication and message authenticity.
  • 8. Message Encryptionif public-key encryption is used:encryption provides no confidence of sendersince anyone potentially knows public-keyhowever ifsender signs message using his private-keySarthak Patel (www.sarthakpatel.in)8sender signs message using his private-keythen encrypts with recipients public keyhave both secrecy and authenticationbut at cost of two public-key uses on message
  • 9. Sarthak Patel (www.sarthakpatel.in)9
  • 10. Message Authentication Code (MAC)a small fixed-sized block of data:depends on both message and a secret keylike encryption though need not be reversibleappended to message as a signatureSarthak Patel (www.sarthakpatel.in)10receiver performs same computation on message and checks itmatches the MACprovides assurance that message is unaltered and comes fromsender
  • 11. Message Authentication CodeThis technique assumes that two communicating parties, say A and B,share a common secret key K. When A has a message to send to B,it calculates the MAC as a function of the message and the key:MAC = C(K, M), whereM= input messageC= MAC functionSarthak Patel (www.sarthakpatel.in)11C= MAC functionK= shared secret keyMAC= message authentication code
  • 12. Message Authentication CodesMAC provides authenticationMessage can be encrypted for secrecygenerally use separate keys for eachcan compute MAC either before or after encryptionis generally regarded as better done beforeSarthak Patel (www.sarthakpatel.in)12is generally regarded as better done beforewhy use a MAC?sometimes only authentication is neededsometimes need authentication to persist longer than theencryption
  • 13. Mac EncryptionThe receiver is assured that the message is from the allegedsender. Because no one else knows the secret key, no one elsecould prepare a message with a proper MAC.Sarthak Patel (www.sarthakpatel.in)13
  • 14. MAC Propertiesa MAC is a cryptographic checksumMAC = CK(M)C is a functioncondenses a variable-length message Musing a secret key Kto a fixed-sized authenticatorSarthak Patel (www.sarthakpatel.in)14to a fixed-sized authenticatormany-to-one functionpotentially many messages have same MACbut finding these needs to be very difficult
  • 15. Requirements for MACsMAC needs to satisfy the following:1. knowing a message and MAC, is infeasible to find anothermessage with same MAC2. MACs should be uniformly distributedSarthak Patel (www.sarthakpatel.in)152. MACs should be uniformly distributed3. MAC should depend equally on all bits of the message
  • 16. Hash FunctionsA hash function is like a MACcondenses arbitrary message to fixed sizeh = H(M)usually assume that the hash function is public and notkeyedSarthak Patel (www.sarthakpatel.in)16keyed-note that a MAC is keyedhash used to detect changes to messagecan use in various ways with messagemost often to create a digital signature
  • 17. Hash Functions & DigitalSignaturesOnly the hash code is encrypted, using public-keyencryption and using the senders private key.As with (b),this provides authentication. It also provides a digitalsignature.Sarthak Patel (www.sarthakpatel.in)17
  • 18. Requirements for Hash Functions1. can be applied to any size message M2. produces a fixed-length output h3. is easy to compute h=H(M) for any message M4. given h is infeasible to find x s.t. H(x)=h5. given x is infeasible to find y s.t. H(y)=H(x)Sarthak Patel (www.sarthakpatel.in)185. given x is infeasible to find y s.t. H(y)=H(x)6. is infeasible to find any x,y s.t. H(y)=H(x)
  • 19. Simple Hash Functionsare several proposals for simple functionsbased on XOR of message blocks-divide the message into equal size blocks-perform XOR operation block by block-final output is the hashSarthak Patel (www.sarthakpatel.in)19-final output is the hashnot very secureneed a stronger cryptographic function
  • 20. Security of Hash Functions andSecurity of Hash Functions andSecurity of Hash Functions andSecurity of Hash Functions andMacsMacsMacsMacsAttacks on hash functions and MACs into two categories:BruteBrute--force attacksforce attacksCryptanalysis.Cryptanalysis.Sarthak Patel (www.sarthakpatel.in)20
  • 21. BruteBruteBruteBrute----Force AttacksForce AttacksForce AttacksForce AttacksHash Functions:In hash functions there are three desirable propertiesOne-way: For any given code h, it is computationally infeasible tofind x such that H(x) = h.Weak collision resistance: For any given block x, it isSarthak Patel (www.sarthakpatel.in)21Weak collision resistance: For any given block x, it iscomputationally infeasible to find y≠x with H(y) = H(x).Strong collision resistance: It is computationally infeasible tofind any pair (x, y) such that H(x) = H(y).For a hash code of length n, the level of effort required, as we have seenis proportional to the following:
  • 22. Contd…Message Authentication CodesA brute-force attack on a MAC is a more difficult undertakingbecause it requires known message-MAC pairs. Let us see why thisis so. To attack a hash code, we can proceed in the following way.Given a fixed message x with n-bit hash code h = H(x), a brute-Sarthak Patel (www.sarthakpatel.in)22force method of finding a collision is to pick a random bit string yand check if H(y) = H(x). The attacker can do this repeatedly offline. Whether an off-line attack can be used on a MAC algorithmdepends on the relative size of the key and the MAC.
  • 23. Contd…If an attacker can determine the MAC key, then it is possible togenerate a valid MAC value for any input x.Suppose the key size is k bits and that the attacker has one knowntext-MAC pair. Then the attacker can compute the n-bit MAC onthe known text for all possible keys. At least one key is guaranteedto produce the correct MAC, namely, the valid key that wasSarthak Patel (www.sarthakpatel.in)23to produce the correct MAC, namely, the valid key that wasinitially used to produce the known text-MAC pair. This phase ofthe attack takes a level of effort proportional to 2k.
  • 24. CryptanalysisCryptanalysisCryptanalysisCryptanalysisAs with encryption algorithms, cryptanalytic attacks on hashfunctions and MAC algorithms seek to exploit some propertyof the algorithm to perform some attack other than anexhaustive search. The way to measure the resistance of ahash or MAC algorithm to cryptanalysis is to compare itsSarthak Patel (www.sarthakpatel.in)24hash or MAC algorithm to cryptanalysis is to compare itsstrength to the effort required for a brute-force attack. Thatis, an ideal hash or MAC algorithm will require acryptanalytic effort greater than or equal to the brute-forceeffort.
  • 25. CryptanalysisHash FunctionsThe hash function takes an input message and partitions it into Lfixed-sized blocks of b bits each. If necessary, the final block ispadded to b bits. The final block also includes the value of the totallength of the input to the hash function. The inclusion of the lengthSarthak Patel (www.sarthakpatel.in)25makes the job of the opponent more difficult.Message Authentication CodesThere is much more variety in the structure of MACs than in hashfunctions, so it is difficult to generalize about the cryptanalysis ofMACs. Further, far less work has been done on developing suchattacks.
  • 26. Message Digests(Hash)A message digest is a fingerprint or the summary of amessage. (Same as LRC and CRC)It is used to verify integrity of the data (To ensure thatmessage has not been tampered).Ex. LRC- parity checkingSarthak Patel (www.sarthakpatel.in)26Ex. LRC- parity checking
  • 27. Idea of a Message DigestEx: Calculate the message digest of number 7391743Multiply each digit in the number with the next digit(excluding if it is 0) and disregarding the first digit of themultiplication operation, it the result is two-digit number.Sarthak Patel (www.sarthakpatel.in)27
  • 28. Calculate MD for 7391743Multiply 7 by 3 - 21Discard first digit - 1Multiply 1 by 9 - 9Multiply 9 by 1 - 9Multiply 9 by 7 - 63Sarthak Patel (www.sarthakpatel.in)28Multiply 9 by 7 - 63Discard first digit - 3Multiply 3 by 4 - 12Discard first digit - 2Multiply 2 by 3 - 6Message digest is 6
  • 29. MD5 (Message Digest 5)MD5 is a message digest algorithm developed by Ron Rivest.MD5 algorithm can be used as a digital signature mechanism.Sarthak Patel (www.sarthakpatel.in)29
  • 30. Description of the MD5 AlgorithmTakes as input a message of arbitrary length and produces asoutput a 128 bit “fingerprint” or “message digest” of theinput.It it is computationally infeasible to produce two messageshaving the same message digest.Sarthak Patel (www.sarthakpatel.in)30having the same message digest.Intended where a large file must be “compressed” in a securemanner before being encrypted with a private key under apublic-key cryptosystem such as PGP.
  • 31. MD5 AlgorithmSuppose a b-bit message as input, and that we need to find itsmessage digest.Step-1 PaddingStep-2Append lengthSarthak Patel (www.sarthakpatel.in)31Step-2Append lengthStep-3 Divide the input into 512-bit blocks.Step-4 Initialize chaining variables (4 variables)Step-5 Process blocks
  • 32. Step-1MD5 is to add padding bits to the original message.The aim of this step is make length of the original messageequal to a value, which is 64 bits less than an exact multipleof 512.Ex: 1000 bits of message (1000+472+64)Sarthak Patel (www.sarthakpatel.in)32Ex: 1000 bits of message (1000+472+64)The padding consists of a single “1” bit is appended to themessage, and then “0” bits.
  • 33. Step 2 – append length:A 64 bit representation of b is appended to the result of theprevious step.The resulting message has a length that is an exact multiple of512 bitsSarthak Patel (www.sarthakpatel.in)33
  • 34. Step-3 Divide the input into 512-bitblocksData to be hashed (Digested) 1536 bitsSarthak Patel (www.sarthakpatel.in)34512 bits 512 bits 512 bits
  • 35. Step-4 Initialize chaining variablesA four-word buffer (A,B,C,D) is used to compute themessage digest.Here each of A,B,C,D, is a 32 bit register.Sarthak Patel (www.sarthakpatel.in)35
  • 36. Step-5 Process blocks5.1 – Copy the four variables (32*4 = 128)5.2 – Divide the 512- bit block into 16 sub-blocks.512 bitsSarthak Patel (www.sarthakpatel.in)365.3 – Process each block with A, B, C, D.32bits32bits32bits32bits32bits32bits32bits32bits32bits32bits32bits32bits32bits32bits32bits32bits512 bits
  • 37. 5.3 - Process each block with A, B, C, D.Sarthak Patel (www.sarthakpatel.in)37
  • 38. Secure Hash Algorithm (SHA)SHA-1 produces a hash value of 160 bits.SHA is designed to be computationally infeasible to:Obtain the original messageFind two message producing the same MD.Sarthak Patel (www.sarthakpatel.in)38
  • 39. Types(Versions) of SHASarthak Patel (www.sarthakpatel.in)39
  • 40. AlgorithmStep-1 PaddingStep-2Append lengthStep-3 Divide the input into 512-bit blocks.Step-4 Initialize chaining variables (5 varibles)Step-5 Process blocksSarthak Patel (www.sarthakpatel.in)40Step-5 Process blocks
  • 41. 5.3- Process each block with A, B, C, D, E.Sarthak Patel (www.sarthakpatel.in)41
  • 42. Comparison of MD5 & SHA-1Points ofDiscussionMD5 SHA-1MD length in bits 128 160Attack try to findMD2128 2160Sarthak Patel (www.sarthakpatel.in)42MDAttack try to find twomessages producingsame message digest264 280Speed Faster Slower
  • 43. RACE Integrity Primitives EvaluationMessage Digest (RIPEMD-160)RIPEMD is a cryptographic hash based upon MD4. Its beenshown to have weaknesses and has been replaced byRIPEMD-128 and RIPMD-160. These are cryptographic hashfunctions designed by Hans Dobbertin, AntoonBosselaers, and Bart Preneel.Sarthak Patel (www.sarthakpatel.in)43Bosselaers, and Bart Preneel.RIPEMD-160 produces a hash of the same length as SHA1but is slightly slower. RIPEMD-128 has been designed as adrop-in replacement for MD4/MD5 whilst avoiding some ofthe weaknesses shown for these two algorithms. It is abouthalf the speed of MD5.
  • 44. HMAC(HashHMAC(HashHMAC(HashHMAC(Hash----Based MAC)Based MAC)Based MAC)Based MAC)HMAC has been chosen as a security implementation for InternetProtocol (IP) and Secure Socket Layer(SSL), widely used ininternet.The fundamental idea of HMAC is to reuse the existing MD5 orSHA-1.Sarthak Patel (www.sarthakpatel.in)44SHA-1.
  • 45. OriginalmessageExisting MD5 orSHA-1MD EncryptHMACSarthak Patel (www.sarthakpatel.in)45K
  • 46. How HMAC works?MD- Message Digest/ Hash functionM – Input messageipad-A string 00110110 repeated b/8 timesopqd-A string 01011010 repeated b/8 timesSarthak Patel (www.sarthakpatel.in)46
  • 47. How HMAC works?Step-1 Make the length of K equal to bLength K<b (Append 0 – left side)Length K=b (Step -2)Length K>b (Hash K reduce its length to b)Step- 2 XOR K with ipad to produce S1Sarthak Patel (www.sarthakpatel.in)47Step- 2 XOR K with ipad to produce S1Step -3Append M to S1Step -4 Message Digest algorithmStep -5 XOR K with opad to produce S2Step -6Append H toS2Message DigestAlgorithm