Scribd
Upload
144 views

Chap 11. Message Authentication and Hash Functions

This document discusses message authentication and hash functions. It describes the requirements for message authentication, including verifying the source and integrity of messages. It then discusses different types of authentication functions, including message encryption, message authentication codes (MACs), and hash functions. MACs and hash functions are described in more detail, including their basic uses, requirements, and examples of specific MAC algorithms.

Uploaded by

YazanAlomari
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
144 views

Chap 11. Message Authentication and Hash Functions

This document discusses message authentication and hash functions. It describes the requirements for message authentication, including verifying the source and integrity of messages. It then discusses different types of authentication functions, including message encryption, message authentication codes (MACs), and hash functions. MACs and hash functions are described in more detail, including their basic uses, requirements, and examples of specific MAC algorithms.

Uploaded by

YazanAlomari
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 26

Message Authentication and Hash Functions

Chap 11.
Message Authentication and
Hash Functions

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

Authentication Requirements

Authentication Requirements

Kind of attacks in the context of communications


across a network
1.
2.
3.
4.
5.
6.
7.
8.

Disclosure
Confidentiality
Traffic analysis
Masquerade
Content modification
Message
Digital
Authentication
Sequence modification
Signature
Timing modification
Source repudiation
Specialized Digital Signature
Destination repudiation

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

Authentication Requirements

Authentication Requirements
Message authentication
A procedure to verify that received messages come from the
alleged source and have not been altered
Message authentication may also verify sequencing and
timeliness

Digital signature
An authentication technique that also includes measures to
counter repudiation by the source

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

Authentication Functions

Authentication Functions
Message authentication or digital signature
mechanism can be viewed as having two levels
At lower level: there must be some sort of functions producing an
authenticator a value to be used to authenticate a message
This lower level functions is used as primitive in a higher level
authentication protocol

Three classes of functions that may be used to


produce an authenticator
Message encryption
Ciphertext itself serves as authenticator
Message authentication code (MAC)
A function of the message and a secret key that produces a
fixed-length value that serves as the authenticator
Hash function
A function that maps a message of any length into a fixedlength hash value that serves as the authenticator
Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

Authentication Functions

Message Encryption
Symmetric encryption can serve as authenticator
Symmetric encryption provides authentication as well as
confidentiality
Requires recognizable plaintext or other structure to distinguish
between well-formed legitimate plaintext and meaningless random
bits
e.g., ASCII text, an appended checksum, or use of layered
protocols

Public-key encryption also can serve as authenticator

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

Authentication Functions

Basic Uses of Message Encryption

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

Authentication Functions

Basic Uses of Message Encryption

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

Basic Uses of Message Encryption

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

Authentication Functions

Ways of Providing Structure - 1


Append an error-detecting code (frame check sequence
(FCS) or checksum) to each message before encryption

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

10

Authentication Functions

Message Authentication Code


Uses a shared secret key to generate a fixed-size
block of data (known as a cryptographic checksum
or MAC) that is appended to the message
MAC = CK(M), where C is a MAC function
Assurances:
Message has not been altered
Message is from the alleged sender
Message sequence is unaltered (requires internal sequencing)

Similar to encryption but MAC algorithm need not


be reversible

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

11

Authentication Functions

Basic Uses of MAC

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

12

Authentication Functions

Basic Uses of MAC

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

13

Authentication Functions

Why Use MACs?


Why not just use encryption?
Cleartext stays clear
MAC might be cheaper
Sometimes only authentication is needed
Broadcast
Authentication of executable codes
Sometimes need authentication to persist longer than
the encryption (e.g., archival use)
Separation of authentication and confidentiality provides
architectural flexibility

MAC does not provide a digital signature


Because both sender and receiver share the same key
Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

14

Authentication Functions

Hash Function
One-way hash function
Converts a variable size message M into fixed size hash code
H(M) (Sometimes called a message digest)
Unlike the MAC, a hash code does not use a key but is a
function only of the input message
Provides message integrity

Can be used with encryption or a shared key for


authentication

E(M || H(M)) : identical to the internal error control strategy


M || E(H(M)) : a MAC
M || signed H : typical digital signature
E(M || signed H)
M || H(M || K) : keyed hash (no encryption)
E(M || H(M || K))

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

15

Authentication Functions

Basic Uses of Hash Function

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

16

Authentication Functions

Basic Uses of Hash Function

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

17

Authentication Functions

Basic Uses of Hash Function

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

18

MACs

Message Authentication Codes

MAC = CK(M)
M is a variable-length message
K is a key shared only by sender and receiver
MAC is the fixed-length authenticator

Key length requirements


Sufficient key length to thwart brute-force attack
On average, require 2k-1 attempts for a k-bit key

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

19

MACs

Brute-force Attacks on MACs


Let k = key length, n = MAC length
Suppose confidentiality is not employed;
i.e., the opponent has access to plaintext messages
and their associated MACs
If k > n
Brute force gives 2(k-n) candidate keys
Given a known M1 and MAC1, with MAC1 = CK1(M1),
the
cryptanalyst can perform MACi = CKi(M1) for all possible key
values Ki.
At least one key is guaranteed to produce a match
On average, a total of 2k/2n = 2(k-n) keys will produce a match
Second round (a new M and MAC) reduces this to 2(k-2n) candidate
keys
On average, this requires k/n rounds

If k n, one round should suffice


Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

20

MACs

Attacks on MACs
Other attacks are possible, depending on the MAC
algorithm
E.g., consider the following MAC algorithm
Let M = (X1 || X2 || || Xm) be a message that is treated as a
concatenation of 64-bit blocks Xi
Define (M) = X1 X2 Xm; CK(M) = EK[(M)]

The opponent can attack the system as follows:


Replace Xi by Yi for i = 1 to m-1
Calculate Ym to produce the right checksum, and replace Xm by Ym
Ym = Y1 Y2 Ym-1 (M)
The new message, Y1 thru Ym, with the original MAC will be
accepted as authentic by the receiver
With this tactic, any message of length 64 (m-1) bits can be
fraudulently inserted
Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

21

MACs

Requirements for MAC Functions

Assume that an opponent knows the MAC function


C but does not know K. Then the MAC function
should have the following properties:
1. Given M and Ck(M), it must be computationally infeasible
to construct M s.t. Ck(M) = Ck(M)
2. CK(M) should be uniformly distributed in the sense that for
any M and M, Pr[Ck(M) = Ck(M)] should be 2-n, where n is
the length of the MAC
3. Let M be equal to some known transformation on M. That
is, M = f(M). In that case, Pr[Ck(M) = Ck(M)] = 2-n.

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

22

MACs

MAC Based on DES (CBC-MAC)


Last block of CBC mode of DES, with IV = 0
Referred to as Data Authentication Algorithm (FIPS
PUB 113 and ANSI standard (X9.17))
Security weaknesses have been discovered and it is being
replaced (refer to Chap.12 CMAC)

Data Authentication Code (DAC) consists of 16 to 64


leftmost bits of ON

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

23

Hash Functions

Hash Functions
h = H(M)
M is a variable-length message
h is a fixed-length hash value
H is a hash function

The hash value is appended at the source


The receiver authenticates the message by
recomputing the hash value
Because the hash function itself is not considered
to be secret, some means is required to protect the
hash value

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

24

Hash Functions

Hash Function Requirements


1.
2.
3.
4.

H can be applied to any size data block


H produces fixed-length output
H(x) is relatively easy to compute for any given x
H is one-way, i.e., given h, it is computationally
infeasible to find any x s.t. h = H(x)
5. H is weakly collision resistant: given x, it is
computationally infeasible to find any y x s.t.
H(x) = H(y)
6. H is strongly collision resistant: it is
computationally infeasible to find any x and y
s.t. H(x) = H(y)

Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

25

Hash Functions

Simple Hash Functions


Operation of hash functions
The input is viewed as a sequence of n-bit blocks
The input is processed one block at a time in an iterative fashion to
produce an n-bit hash function

Simplest hash function: Bitwise XOR of every block


Ci = bi1 bi2 bim
Ci = i-th bit of the hash code, 1 i n
m = number of n-bit blocks in the input
bij = i-th bit in j-th block
Known as longitudinal redundancy check
Not useful as a one-way function
Less effective in some cases
E.g., if only 7-bit out of 8-bit characters is used in text files, the
128-bit hash value is effectively 112-bit

We will encounter strong hash functions in Chap.12


Cryptography & Network Security

H. Yoon

Message Authentication and Hash Functions

26

Hash Functions

Simple Hash Functions


Improvement over the simple
bitwise XOR (Rotated XOR)
Initially set the n-bit hash value to zero
Process each successive n-bit block of data as
Rotate the current hash value to the left by
one bit
XOR the block into the hash value

Effect on randomizing the input

Cryptography & Network Security

H. Yoon

You might also like