Network Security – Assignment 3 - Abdul Haleem – L1F09MSCS0017

Message Integrity
Message integrity implies that the message is not altered in the way. Some times message
secrecy is not of the concern but its integrity is required. For example Alice may write a
will to distribute her estate upon her death. The secrecy of the will is not important. Every
one can examine the will but it is important that it remains unchanged [1].
For maintaining message integrity hash functions are used which create a hash value of
the message. Original message and its hash value are sent to the receiver who verifies
message integrity by re-computing the hash value and comparing with the received one.
The computed hash value should be one-way collision free. One-way property ensures
that given a hash value, its actual message cannot be retrieved. Collision free property
ensures that no two different messages should have same hash value [2].

Attacks on Message Integrity

Attacks on message integrity can be separated in two categories: attacks against one-way
property and attacks and collision free property.

Attacks against One-way Property

First Pre-image Attack

In this type of attack, Trudy knows the hash value but actual message is not known. Now
Trudy tries to create another message whose hash value is same as of original hash value.
This fake message is then sent to the receiver along with hash value. The receiver re-
computes the hash value and is unable to know that actual message is changed [2].
Following ideal algorithm elaborates how to perform a pre-image attack using a known
digest D [2].

Preimage_attack(D)
for (i = 1 to k) // number of times algorithm to be executed
create(M[i]) // create a new message
T = h(M[i]) // create hash of new message and store in T
if (T == D) return M[i] // match T with intercepted hash
return failure

The complexity of this algorithm is proportional to 2n, where n is the size of digest D [2].

Second Pre-image Attack

This type of attack is very similar to first pre-image attack. The difference is that Trudy
knows both actual message and its hash value. She tries to find out another message
whose hash value is same as of original and the fake message is sent to the receiver. As
the hash value is unchanged, the receiver is unable to detect forgery in the middle [2].
Following ideal algorithm elaborates how to perform a pre-image attack using a known
digest D and message M [2].

Preimage_attack(D, M)
for (i = 1 to k) // number of times algorithm to be executed
create(M[i]) // create a new message
T = h(M[i]) // create hash of new message and store in T
if (T == D) return M[i] // match T with intercepted hash
return failure

The complexity of this algorithm is proportional to 2n, where n is the size of digest D [2].

Attacks against Collision Free property

Collision Attack
In collision attack, two messages are built from the scratch whose hash value is same. For
example Trudy prepares another will whose hash is same as of original will. When the
time comes, fake will is presented and the forgery goes undetected.
All currently known practical attacks on md5 and sha-1 hash functions are collision
attacks [2].
Following ideal algorithm elaborates how to perform collision attack [2].

Collision_attack
for (i = 1 to k) // number of times algorithm to be executed
create (M[i]) // create a new message
D[i] = h(M[i]) // create hash of new message and store in D[i]
for (j = 1 to i) // find a matching digest with the new one
if (D[i] == D[j]) return M[i] and M[j]
return failure

The complexity of this algorithm is 2n/2, where n is the size of digest D [2].

Solutions to Message Integrity Attacks

Solution to the message integrity attacks is to increase the complexity of hashing
algorithm. The attacks would take too much time to break that is not practically feasible.
Following table summarizes complexity of pre-image and collision attacks of various
algorithms [3].

Algorithm Collision Attack complexity Pre-image attack complexity

GOST 2105 2192
MD2 263 273
MD4 3 270
MD5 220 2123
Tiger-2 262 2184
Message Authentication
In message authentication it is verified that the received message is from authentic sender
and not from Trudy. To provide message authentication, Alice needs to prove that it is
Alice sending the message and not someone else [1].
For guaranteeing message authentication, hash functions are used to create a Message
Authentication Code (MAC) using a secret key which is shared among sender and
receiver. This key is not known to any third person. Original message and MAC is sent to
receiver. The receiver re-computes the MAC using secret key and matches with the
received one. Sender is authenticated if MAC matches [1].

Attacks on Message Authentication

Three types of attacks are possible on message authentication [1].
1. If the size of secret key allows exhaustive search, Trudy can test all possible keys
to find out a MAC equal to the intercepted one. After finding the key, Trudy can
replace the actual message with a forged message of her choice.

2. The size of key is normally very large, so Trudy can use another tool: the pre-
image attack. In this type of attack Trudy tries to find out another message whose
digest is same as of intercepted one. After that she can find out the key and forge
the actual message.

3. Given some pairs of messages and their MACs, Trudy can manipulate them to
create a new message with its MAC.

Solutions to Message Authentication Attacks

Here we discuss the methods used for preserving message authentication against the
possible attacks.

Nested MAC
Nested MAC improves the security of MAC by applying hash function in two steps [1].
1. Concatenate key with actual message and apply hash function to create
intermediate digest.

2. Concatenate key with the intermediate digest and apply hash function to create
final digest.

HMAC
HMAC is much more complex than the simple nested MAC. There are additional
features such as padding. Here are its general steps [1]:
1. The message is divided in N blocks each of b bits.

2. The secret key is left padded to create a b-bit key. It is then exclusive-ored with a
predefined bitmap called ipad (input pad).
 3. The resultant block is pre-pended with the actual N block message to create (N+1)
blocks.

4. Hash function is now applied on the N+1 blocks to create an n-bit digest. This
digest is called intermediate digest.

5. The n-bit digest is left padded with 0s to make a b-bit block.

6. The secret key is again padded to make b-bits and exclusive-ored with a different
bitmap called opad (output pad).

7. The resultant key is pre-pended with the padded digest and then hash function is
applied to get final n-bit HMAC.

CMAC
The idea in CMAC is to create one block of MAC from N blocks of plain text using a
symmetric key N times. Here are the steps [1]:
1. The message is divided in N blocks of m bits. If last block is not of m bits, it is
padded with 1 followed by required number of zeros.

2. The first block is encrypted using the symmetric key to create an m-bit encrypted
block.

3. The encrypted block is exclusive-ored with next block and then encrypted to
create next m-bit encrypted block.

4. The process continues until the last block of plain text is exclusive-ored and
encrypted.

5. Left most n-bits form the last block is the CMAC.

References
1. Behrouz A. Forouzan, Cryptography & Network Security, Special Indian Edition,
McGraw Hill.
2. P. Hoffman and B. Schneier, “Attacks on Cryptographic Hashes in Internet
Protocols”, RFC 4270, November 2005.
3. http://en.wikipedia.org/wiki/Cryptographic_hash_function