Authentication and Hash Functions

Chapter 5:-
Message Authentication and
Hash Functions
Sarthak Patel, (www
.sarthakpatel.in)

Outline
● Authentication Requirement,
● Functions, MessageAuthentication Code, Hash Functions,
● SecurityOfHash FunctionsAnd Macs
● MD5 Message DigestAlgorithm,
● Secure HashAlgorithm
● Ripemd-160
● Hmac
Sarthak Patel (www.sarthakpatel.in)
2

Authentication Requirements
1. Disclosure: Release of message contents to any person or process not
possessingthe appropriate cryptographickey
.
2. Traffic analysis: Discovery of the pattern of traffic between parties.
In a connection-oriented application, the frequency and duration of
connections could be determined. In either a connection-oriented or
connectionless environment, the number and length of messages
between partiescould be determined.
3. Masquerade: Insertion of messages into the network from a
fraudulent source. This includes the creation of messages by an
opponent that are supposed to come from an authorized entity. Also
included are fraudulent acknowledgments of message receipt or
nonreceipt bysomeone other than the messagerecipient.
3

Contd…
4. Content modification: Changes to the contents of a message,
includinginsertion,deletion,transposition,and modification.
5. Sequence modification: Any modification to a sequence of
messages between parties, including insertion, deletion, and
reordering.
6. Timing modification: Delay or replay of messages. In a
connection-oriented application, an entire session or sequence
of messages could be a replay of some previous valid session, or
individual messages in the sequence could be delayed or
replayed. In a connectionless application, an individual message
(e.g., datagram) could be delayedor replayed.
4

Contd…
7. Source repudiation: Denial of transmission of message by
source.
8. Destination repudiation: Denialof receipt of message by
destination.
5

Message Authentication Function
● message authentication isconcerned with:
● protectingthe integrityof amessage
● validatingidentityoforiginator
● non-repudiation of origin (dispute resolution)
● three alternative functionsused:
● message encryption
● message authentication code (MAC)
● hashfunction
6

Message Encryption
● messageencryption byitself also provides a measure of
authentication
● if symmetric encryption is used then:
● receiver know sender must have created it
● since only sender and receiver now key used
● So, content cannot of been altered
● Provides both:sender authentication and message authenticity.
7

Message Encryption
● ifpublic-keyencryption isused:
● encryption provides no confidence of sender
● since anyone potentiallyknows public-key
● however if
● sender signs message using his private-key
● then encryptswith recipientspublic key
● haveboth secrecy and authentication
● but at cost of two public-key uses on message
8

Message Authentication Code (MAC)
● asmall fixed-sized block ofdata:
● dependson both messageand asecret key
● like encryption though need not be reversible
● appended to message as asignature
● receiver performs same computation on message and checks it
matchesthe MAC
● providesassurance that messageis unaltered and comes from
sender
10

Message Authentication Code
This technique assumes that two communicating parties, sayA and B,
share a common secret key K. WhenA has a message to send to B,
it calculates the MAC as a function of the message and the key:
MAC = C(K, M), where
M= input message
C= MAC function
K= shared secret key
MAC= message authentication code
11

Message Authentication Codes
● MAC providesauthentication
● Message can be encrypted for secrecy
● generallyuse separate keysfor each
● can compute MACeither before or after encryption
● isgenerallyregarded asbetter done before
● whyuse aMAC?
● sometimesonlyauthentication isneeded
● sometimes need authentication to persist longer than the
encryption
12

Mac Encryption
● The receiver is assured that the message is from the alleged
sender.Becauseno one else knowsthe secret key,no one else
could prepare amessage with aproper MAC.
13

MAC Properties
● aMAC isacryptographic checksum
MAC = CK(M)
● C isafunction
● condensesavariable-lengthmessage M
● usingasecret keyK
● to afixed-sized authenticator
● many-to-one function
● potentiallymanymessageshave same MAC
● but findingthese needs to be very difficult
14

Requirements for MACs
● MAC needsto satisfy the following:
1. knowingamessage and MAC, isinfeasible to find another
message with same MAC
2. MACsshould be uniformlydistributed
3. MACshoulddepend equally on all bits of the message
15

Hash Functions
● Ahash function islike aMAC
● condensesarbitrarymessage to fixed size
h = H(M)
● usuallyassume that the hash function ispublic and not
keyed
-note that aMAC iskeyed
● hash used to detect changesto message
● can use in various wayswith message
● most often to create adigital signature
16

Hash Functions & Digital
Signatures
● Only the hash code is encrypted, using public-key
encryption andusingthe sender's private key.Aswith (b),
this providesauthentication. It alsoprovidesadigital
signature.
17

Requirements for Hash Functions
1. can be applied to anysize message M
2. produces afixed-length output h
3. iseasyto compute h=H(M) for anymessage M
4. given h isinfeasible to find x s.t. H(x)=h
5. given x isinfeasible to find y s.t. H(y)=H(x)
6. isinfeasible to find anyx,y s.t. H(y)=H(x)
18

Simple Hash Functions
● are several proposals for simple functions
● based on XORofmessage blocks
-divide the message into equal size blocks
-perform XORoperation block byblock
-final output is the hash
● not verysecure
● need astronger cryptographic function
19

Security of Hash Functions and
Macs
● Attacks on hash functionsand MACsinto two categories:
● Brute-force attacks
● Cryptanalysis.
20

Brute-Force Attacks
Hash Functions:
● In hashfunctions there are three desirable properties
● One-way: For anygiven code h, it is computationally infeasible to
find x such that H(x) = h.
● W
eak collision resistance:For anygiven block x, it is
computationally infeasible to find y≠x with H(y) = H(x).
● Strong collision resistance:It iscomputationallyinfeasible to
find anypair (x, y) suchthat H(x) = H(y).
● Forahashcodeoflength n, the levelofeffort required, aswehaveseen
isproportional to the following:
21

Contd…
MessageAuthentication Codes
● A brute-force attack on a MAC is a more difficult undertaking
because it requires known message-MAC pairs. Let us see why this
is so. To attack a hash code, we can proceed in the following way.
Given a fixed message x with n-bit hash code h = H(x), a brute-
force method of finding a collision is to pick a random bit string y
and check if H(y) = H(x). The attacker can do this repeatedly off
line. Whether an off-line attack can be used on a MAC algorithm
dependson the relative size of the keyand the MAC.
22

Contd…
● If an attacker can determine the MAC key, then it is possible to
generate avalid MAC value for anyinput x.
● Suppose the key size is k bits and that the attacker has one known
text-MAC pair. Then the attacker can compute the n-bit MAC on
the known text for all possible keys. At least one key is guaranteed
to produce the correct MAC, namely, the valid key that was
initially used to produce the known text-MAC pair. This phase of
the attack takes alevelof effort proportional to 2k.
23

Cryptanalysis
● As with encryption algorithms, cryptanalytic attacks on hash
functions and MACalgorithms seek to exploit some property
of the algorithm to perform some attack other than an
exhaustive search. The way to measure the resistance of a
hash or MAC algorithm to cryptanalysis is to compare its
strength to the effort required for a brute-force attack. That
is, an ideal hash or MAC algorithm will require a
cryptanalytic effort greater than or equal to the brute-force
effort.
24

Cryptanalysis
Hash Functions
● The hash function takes an input message and partitions it into L
fixed-sized blocks of b bits each. If necessary, the final block is
padded to b bits. The final block also includes the value of the total
length of the input to the hash function. The inclusion of the length
makesthe job of the opponent more difficult.
MessageAuthentication Codes
● There is much more variety in the structure of MACs than in hash
functions, so it is difficult to generalize about the cryptanalysis of
MACs. Further, far less work has been done on developing such
attacks.
25

Message Digests(Hash)
● Amessage digest is afingerprint or the summary of a
message. (Same as LRC and CRC)
● It is used to verify integrity of the data (Toensure that
message hasnot been tampered).
● Ex. LRC- paritychecking
26

Idea of a Message Digest
● Ex: Calculate the message digest ofnumber 7391743
● Multiply each digit in the number with the next digit
(excluding if it is 0) and disregarding the first digit of the
multiplication operation, it the result is two-digit number.
27

Calculate MD for 7391743
● Multiply 7 by 3 - 21
● Discard first digit - 1
28
● Message digest is 6

MD5 (Message Digest 5)
● MD5is amessage digest algorithm developed byRon Rivest.
● MD5algorithm can be used asadigital signature mechanism.
29

Description of the MD5 Algorithm
● Takesasinput amessage of arbitrary length and produces as
output a128 bit “fingerprint”or “messagedigest”ofthe
input.
● It it is computationally infeasible to produce two messages
havingthe same message digest.
● Intended where alarge file must be“compressed”in asecure
manner before being encrypted with aprivate keyunder a
public-keycryptosystem such as PGP
.
30

MD5 Algorithm
● Suppose ab-bit message asinput, and that we need to find its
message digest.
Step-1 Padding
Step-2Append length
Step-3 Divide the input into 512-bit blocks.
Step-4 Initialize chainingvariables (4 variables)
Step-5 Processblocks
31

Step-1
● MD5 isto add paddingbitsto the original message.
● The aim of this step is make length of the original message
equal to avalue,which is 64 bits less than an exact multiple
of512.
● Ex: 1000 bitsofmessage (1000+472+64)
● The paddingconsists ofasingle“1”bit is appended to the
message, and then“0”bits.
32

Step 2 – append length:
● A64 bit representation of b is appended to the result of the
previousstep.
● The resulting messagehasa length that is an exact multiple of
512 bits
33

Step-3 Divide the input into 512-bit
blocks
Data to be hashed (Digested) 1536 bits
512 bits 512 bits 512 bits
34

Step-4 Initialize chaining variables
● Afour-word buffer (A,B,C,D) is used to compute the
message digest.
● Here each ofA,B,C,D, is a32 bit register.
35

Step-5 Process blocks
1. – Copythe four variables(32*4 = 128)
2. – Divide the 512- bit block into 16 sub-blocks.
512 bits
5.3 – Processeach block withA, B, C, D.
32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32
bits bits bits bits bits bits bits bits bits bits bits bits bits bits bits bits
36

5.3 - Process each block with A, B, C, D.
37

Secure Hash Algorithm (SHA)
● SHA-1 producesahash value of160 bits.
● SHAisdesigned to be computationally infeasible to:
● Obtain the original message
● Find two messageproducing the same MD.
38

Types(Versions) of SHA
39

Algorithm
Step-1 Padding
Step-2Append length
Step-3 Divide the input into 512-bit blocks.
Step-4 Initialize chaining variables (5 varibles)
Step-5 Process blocks
40

5.3- Process each block with A, B, C, D, E.
41

Comparison of MD5 & SHA-1
Points of
Discussion
MD5 SHA-1
MD length in bits 128 160
Attack try to
find MD
2128 2160
Attack try to find
two messages
producing same
message digest
264 280
Speed Faster Slower
42

RACE Integrity Primitives Evaluation
Message Digest (RIPEMD-160)
● RIPEMD is a cryptographic hash based upon MD4. It's been
shown to have weaknesses and has been replaced by
RIPEMD-128 and RIPMD-160. These are cryptographic hash
functions designed by Hans Dobbertin, Antoon
Bosselaers, and Bart Preneel.
● RIPEMD-160 produces a hash of the same length as SHA1
but is slightly slower. RIPEMD-128 has been designed as a
drop-in replacement for MD4/MD5 whilst avoiding some of
the weaknesses shown for these two algorithms. It is about
halfthe speed ofMD5.
43

HMAC(Hash-Based MAC)
● HMAC has been chosen as a security implementation for Internet
Protocol (IP) and Secure Socket Layer(SSL), widely used in
internet.
● The fundamental idea of HMAC is to reuse the existing MD5 or
SHA-1.
44

Original
message
Existing MD5 or
SHA-1
MD Encrypt
HMA
C
K

How HMAC works?
● MD- Message Digest/ Hash function
● M– Input message
● ipad-Astring00110110 repeated b/ 8 times
● opqd-Astring01011010 repeated b/ 8 times
46

How HMAC works?
● Step-1 Make the lengthofKequal to b
● Length K<b (Append 0 – left side)
● Length K=b (Step -2)
● Length K>b (Hash Kreduce itslengthto b)
● Step- 2 XOR Kwith ipad to produce S1
● Step -3Append Mto S1
● Step -4 Message Digest algorithm
● Step -5 XOR Kwith opad to produce S2
● Step -6Append H toS2
● Message DigestAlgorithm
47

Authentication and Hash Functions

Recommended

Recommended

More Related Content

Similar to Authentication and Hash Functions

Similar to Authentication and Hash Functions (20)

More from JohnLagman3

More from JohnLagman3 (20)

Recently uploaded

Recently uploaded (20)

Authentication and Hash Functions