View
214
Download
0
Category
Preview:
Citation preview
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 1
2. Cryptography
2.2 Message Authentication and Secure Hash Functions
DI-FCT-UNL Computer and Network Systems Security Segurança de Sistemas e Redes de Computadores 2010-2011
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 2
Outline
• Message Authentication and Secure Hash Functions – Message authentication codes (MACs) – Integrity, confidentiality and MACs – MAC schemes with conventional encryption
• CMACs and Public-Key based Message Authentication – Secure Hash Functions – HMACs
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 3
Outline
• Message Authentication and Secure Hash Functions – Message authentication codes (MACs) – Integrity, confidentiality and MACs – MAC schemes with conventional encryption
• CMACs and Public-Key based Message Authentication – Secure Hash Functions – HMACs
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 4
Message Authentication • message authentication: proof of origin, confirming
the sender (identity of originator) – protecting (implicitly) the message integrity
• Contents have not been altered (tampering detection) • Proof that, it was sent at a certain time or sequence
(message replay detection or non-sequence detection)
– validating identity of originator • Message came certainly from apparent correct
principal (source or author) – non-repudiation of origin (dispute resolution)
• In some cases… message authentication is arguably more important than secrecy (ex., E-Commerce)
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 5
Outline
• Message Authentication and Secure Hash Functions – Message authentication codes (MACs) – Integrity, confidentiality and MACs – MAC schemes with conventional encryption
• CMACs and Public-Key based Message Authentication – Secure Hash Functions – HMACs
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 6
MAC or Message Authentication Code • Generated by an
algorithm that creates: • a (usually small)
fixed-sized block, depending on both message and some key (Keyed Mac notion)
• like encryption though need not be reversible
- A MAC is appended to message as a “message signature” - Receiver performs same computation on message and checks it
matches the MAC - Provides assurance that message is unaltered and comes from a
correct sender (correct origin)
Vari
able
siz
e
Vari
able
siz
e
Fixed size
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 7
Message Authentication Codes • As shown the MAC provides authentication and
implicit integrity (but no confidentiality)
• Why use a MAC with no confidentiality or no integrity warranties? – sometimes only authentication is needed – sometimes need authentication and integrity to persist
longer than the encryption (eg. archival use) (Weak integrity checking may be supported with other schemes (MICs, other checksum functions)
• Can use encryption for secrecy (combining authentication + integrity + confidentiality) – generally use separate keys for each – can compute MAC either before or after encryption – is generally regarded as better done before – … But must consider also balance requirements for
authentication, confidentiality, integrity vs. DoS
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 8
Example • A protected record-layer message transport
protocol for secure communication sessions Ex., in SSL (or TLS): Protocolo do nível aplicação
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 9
Example of a Record-Layer Protocol • RLM = H || { Pp(M) || MAC }Ks
Ex: RLP in SSL or TLS
Transport Layer
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 10
MAC Properties • a MAC works as a cryptographic secure checksum
MAC = CK(M) or MACK(M) or MAC(K, M)
• Note that a MAC is not a digital signature (authentication of principals) in the sense of digital signatures for principals – A MAC requires shared keys – Used like “fast or light-weight message signature
scheme” based on a NDA of the KEY. Why ?
• is it a “many-to-one” function ? – potentially many messages have same MAC
• Not warranted collision free – but finding these needs to be very difficult
• With appropriate security properties of MAC cryptographic functions. Which properties ?
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 11
Security properties of MACs • Irreversibility
If Y = MAC (X1) it is not possible to find X1 knowing Y
• Collision resistance: knowing a message and MAC, is infeasible to find another message with same MAC
– Weak collision resistance Given Y=MAC (X1) and X1 : no other X2 with Y=MAC(X2)
– Strong collision resistance Given a value y, it is not possible to find any Z1 and Z2, in a way that MAC (Z1) = MAC (Z2) = Y
• Uniform distribution – MACs should be uniformly distributed, independently
of the message input – MAC should depend equally on all bits of the message
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 12
Examples (typical uses) • Ex. 1: Header | {M, TS, NS, … }k1 | MACK2 (M, TS, NS, …)
• Ex. 2: Header | {M, TS, SN, … , MACKS (M, TS, SN, …) }ks
• Ex. 3: Content-Type | M version | m version | Compressed length |
{ compress [ M, TS, SN,… MACKm (M, TS, N,…) ] } KS
• Ex. 4: (DoS minimization tradeoff) Content-Type | M version | m version | Compressed length |
{ compress [M,TS,SN, …] }KS | MACKm (M,TS,NS, …)
> Note: you must take in account other issues for security assumptions: Block modes of operation, key-distribution, attacks to weaknesses of MAC properties
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 13
Outline
• Message Authentication and Secure Hash Functions – Message authentication codes (MACs) – Integrity, confidentiality and MACs – MAC schemes with conventional encryption
• CMACs and Public-Key based Message Authentication – Secure Hash Functions – HMACs
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 14
Approaches to Message Authentication • Message Authentication Codes (MACs)
– “Keyed MACs”: Calculate the MAC as a function of the message and the key. MAC = F(K, M)
– “Non keyed MACs”: the MAC as a function of the message only. MAC=F(M)
– Message Authentication using Encryption • CMACs: with symmetric encryption - only the sender
and receiver should share a key (used in a “non-disclosure key agreement basis”)
• with asymmetric encryption – equivalent to pubic-key digital signatures
– Message Authentication without Message Encryption • An authentication tag (MAC tag) is generated and
appended to each message • In general with secure hash-functions – no need of
additional keys)
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 15
Message Authentication with Encryption • Message encryption using conventional encryption
(or symmetric methods) by itself also provides a measure of authentication
• If symmetric encryption is used then: – receiver know sender must have created it,
since only sender and receiver know key used • Shared secret key, used with non-disclosure mutual
agreement – know content cannot of been altered or
tampered, if message has suitable structure, redundancy with MICs or checksum to detect any changes
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 16
CMAC based schemes • Can use any block cipher chaining mode and use
final block as a MAC
• Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC (scheme known as CMAC with DES) – using IV=0 and zero-pad of final block – encrypt message using DES in CBC mode – and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 17
Data Authentication Algorithm
FIPS PUB 113 / ANSI X.917 MAC (with DES-CBC) … final MAC is today too small for security In general, is possible to use CMACs with other symmetric algorithms to have more strong CMACs
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 18
CMAC (NIST improvement 800-38B)
• previously saw the DAA (CBC-MAC), widely used in govt & industry – but has message size limitation (DES and DES blocks) – AdHos practices with other algorithms
• NIST standardization • can overcome using 2 keys & padding, thus forming
the Cipher-based Message Authentication Code (CMAC)
• adopted by NIST SP800-38B for use with AES and Triple DES
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 19
CMAC Overview AES: K: 128/192/256 bits 3DES: K: 112/168 bits
K1, K2 Derived from K {0}K and GK(2^n) multiplication
With no padding
With padding
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 20
Message Authentication with Encryption • Message encryption with public-key cryptography
(asymmetric methods) also provides a measure of authentication
• If public-key encryption is used: – Encryption provides no confidence of sender (encrypting
with the public-key), since anyone potentially knows public-key
– However if • sender signs message using their private-key
– (principle of public key signatres) • then encrypts with recipients public key • have both secrecy and authentication
{ {M}KprivSender }KpubDest – Again need to recognize corrupted messages – But at cost of two public-key uses on message
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 22
One-way HASH function • Secret value is added before the hash and removed
before transmission. • Compared with the other schemes: balance between
performance and security – Reference: Secure Hash-Functions faster than symmetric
methods faster than public-key cryptoi (in general)
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 23
Outline
• Message Authentication and Secure Hash Functions – Message authentication codes (MACs) – Integrity, confidentiality and MACs – MAC schemes with conventional encryption
• CMACs and Public-Key based Message Authentication – Secure Hash Functions – HMACs
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 24
Hash Functions • Condenses arbitrary message to fixed size
h = H(M) : hash code or message digest
• Usually assume that the hash function is public and not keyed – cf. MAC which is keyed
• Hash is used to detect changes to message – Message tampering detection
• Can use in various ways with message • Most often to create a “fast or light-weight
digital signature”
Secure Hash
Function M
(variable size) H
(fixed size)
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 25
Secure HASH Functions
Purpose of the HASH function is to produce a ”fingerprint” (hash value), with the following properties:
1. H can be applied to a block of data at any size 2. H produces a fixed length output 3. H(x) is easy to compute for any given x. 4. Irreversibility: for any given block x, it is
computationally infeasible to find x such that H(x) = h 5. Weak collision resistance: for any given block x, it is
computationally infeasible to find with H(y) = H(x). 6. Strong collision resistance: it is computationally
infeasible to find any pair (x, y) , such that H(x) = H(y)
7. Uniform distribution
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 26
Birthday Attacks • might think a 64-bit hash is secure ? 128 is better ? • … Think on it by the Birthday Paradox
– The chance that in a group of people two will share the same birthday: with 23 persons, p > 0.5
– Generalization: matching pair from any two sets: 2m/2 in each set to get a matching m-bit hash
• birthday attack works thus: – opponent generates 2m/2 variations of a valid message all
with essentially the same meaning
– opponent also generates 2m/2 variations of a desired fraudulent message (to get a matching m-bit hash)
– two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox)
– have user sign the valid message, then substitute the forgery which will have a valid signatures
• conclusion is that need to use larger MAC/hash
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 27
Simple Hash Function (LRC MIC) Longitudinal redundancy check
• Ci = Bi1 xor Bi2 xor ….. xor Bim for 1 <= i <= n
• Good (acceptable) as a MIC ? probability of an error will result in an unchanged hash value is 1/2^n
• Is it secure ? Ex., Predictable input as text with 128 bit hash, reduces P to 1/2^112
• How can we do better ? Need to provoke an effect of randomizing the input more completely and overcoming any regularities
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 28
2^37 variations of a letter
[Dav 89]
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 29
Simple Hash Function approach
• Ex., one-bit circular shift on the hash value after each block is processed would improve
Use of RXOR (Rotated XOR)
• Is it secure ? Useful for encrypted messages ?
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 30
The hash is the same if you permute the cipher text blocks (non collision resistance) !!!
We must be careful [Jueneman, Matyas and Meyer, Message Authentication, IEEE Communications, Sep 1988]
Ex., Operation with CBC mode • M = set of words of (ex., 64 bits): X1, X2, ... Xn with some
standard (known) padding • H(M) = Xn+1 = X1 xor X2 xor X3, .... Xn-1 xor Xn • C = E (k, (M || H(M) ) , using CBC • C = Y1, Y2, Y3, .... Yn
From the CBC mode we know that: X1 = IV xor D (k, Y1), Xi = Yi-1 xor D (k, Yi) H(M) = Xn+1 = Yn xor D (k, Yn+1) = X1 xor X2 xor .... xor Xn = [IV xor D(k, Y1)] xor [Y1 xor D(k, H2)] xor .... xor [Yn-1 xor D(k, Yn) ]
Problem ?
So we need SECURE HASH FUNCTIONS
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 31
Block Ciphers as Hash Functions • Without secret keys: instead using the message
blocks as “keys” • can use block ciphers as hash functions
– using H0=0 and zero-pad of final block – compute: Hi = EMi [Hi-1] – and use final block as the hash value – similar to CBC but without a key
• Problems ? • resulting hash is too small (ex., 64-bit using DES)
– both due to direct birthday attack – and to “meet-in-the-middle” attack
• other variants also susceptible to attack
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 32
Hash Functions & MAC Security • like block ciphers have: • brute-force attacks exploiting
– strong collision resistance hash have cost with complexity O(2m/2) • have proposal for h/w MD5 cracker (see the
book) • 128-bit hash looks vulnerable, 160-bits
better – MACs with known message-MAC pairs
• can either attack keyspace (cf key search) or MAC
• Cost is this case O (min 2^k, 2^n) which is similar to symmetric encryption algorithms
• at least 128-bit MAC is needed for security
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 33
Hash Functions & MAC Security • cryptanalytic attacks exploit structure
– like block ciphers want brute-force attacks to be the best alternative
• have a number of analytic attacks on iterated hash functions – CVi = f[CVi-1, Mi]; H(M)=CVN – typically focus on collisions in function f – like block ciphers is often composed of rounds – attacks exploit properties of round functions
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 34
Outline
• Message Authentication and Secure Hash Functions – Message authentication codes (MACs) – Integrity, confidentiality and MACs – MAC schemes with conventional encryption
• CMACs and Public-Key based Message Authentication – Secure Hash Functions
• MD5, Ripem, SHA and SHA-1 • SHA256, SHA384, SHA512 • Digest lengths, base processing blocks, iteration rounds,
maximum input message – HMACs
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 35
Secure Hash Functions
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 36
Hash Algorithm Structure
Most important modern hash functions follow this structure
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 37
Other Secure HASH functions
SHA-1 MD5 RIPEMD-160
Digest length 160 bits 128 bits 160 bits
Basic unit of processing
512 bits 512 bits 512 bits
Number of steps 80 (4 rounds of 20)
64 (4 rounds of 16)
160 (5 paired rounds of 16)
Maximum message size
264-1 bits
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 38
SHA - Secure Hash Algorithm • SHA (NIST FIPS 180) originally designed by
NIST & NSA in 1993 – was revised in 1995 as SHA-1 (FIPS PUB 180-1)
• US standard for use with DSA signature scheme – standard is FIPS 180-1 1995, also Internet
RFC3174 – nb. the algorithm is SHA, the standard is SHS
• based on design of MD4 with key differences • produces 160-bit hash values • recent 2005 results on security of SHA-1 have
raised concerns on its use in future applications – Attack in which twe separate messaded could be found
that deliver the same Hash SHA-1 with 2^69 opeations, far fewer than 2^80 operations – previously thought needed to find a collision
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 39
Message Digest Generation Using SHA-1
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 40
SHA-1 Processing of single 512-Bit Block
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 41
SHA-1 – is it weak ? • produces 160-bit hash values
– Strong collision resistance: = O (2^80) • recent 2005 results on security of SHA-1 have
raised concerns on its use in future applications – Attack in which two separate messages could be found
that deliver the same Hash SHA-1 with 2^69 operations, far fewer than 2^80 operations – previously thought needed to find a collision
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 42
Revised Secure Hash Standard • NIST issued revision FIPS 180-2 in 2002 • adds 3 additional versions of SHA
– SHA-256, SHA-384, SHA-512 • designed for compatibility with increased security provided
by the AES cipher • structure & detail is similar to SHA-1 • hence analysis should be similar • but security levels are rather higher
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 43
SHA-512 Overview
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 44
SHA-512 Compression Function • Processing message in 1024-bit blocks
– See last slide • F(): heart of the algorithm
– consists of 80 rounds • updating a 512-bit buffer • using a 64-bit value Wt derived from the
current message block • and a round constant based on cube root of
first 80 prime numbers
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 45
SHA-512 Round Function
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 46
SHA-512 Round Function
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 47
SHA-3
• SHA-1 not yet ”broken” – but similar to broken MD5 & SHA-0 – so considered insecure
• SHA-2 (esp. SHA-512) seems secure – shares same structure and mathematical
operations as predecessors … so have concern
• NIST announced in 2007 a competition for the SHA-3 next gen NIST hash function – goal to have in place by 2012 but not fixed
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 48
SHA-3 Requirements
• It must replace SHA-2 with SHA-3 in any use – so use same hash sizes
• Preserve the online nature of SHA-2 – so must process small blocks (512 / 1024 bits)
• Evaluation criteria – Security close to theoretical max for hash sizes – Cost in time & memory – Characteristics: such as flexibility & simplicity
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 49
Outline
• Message Authentication and Secure Hash Functions – Message authentication codes (MACs) – Integrity, confidentiality and MACs – MAC schemes with conventional encryption
• CMACs and Public-Key based Message Authentication – Secure Hash Functions – HMACs
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 50
HMAC (as in RFC 2104)
• It was born from the idea of a “keyed hash” • Specified as Internet standard RFC2104
• uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]
• where K+ is the key padded out to size • and opad, ipad are specified padding constants • overhead is just 3 more hash calculations than the
message needs alone • any hash function can be used
– eg. MD5, SHA-1, RIPEMD-160, Whirlpool
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 51
HMAC Structure Use a MAC derived from a cryptographic hash code, such as SHA-1.
Motivations: • Cryptographic hash functions executes faster in software than encryption algorithms such as DES
• Library code for cryptographic hash functions is widely available
• No export restrictions from the US
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 52
HMAC Security vs. Speed • proved security of HMAC relates to that of the underlying
hash algorithm • attacking HMAC requires either:
– brute force attack on key used – birthday attack (but since keyed would need to observe a
very large number of messages) • choose hash function used based on speed verses security
constraints
• HMAC as a “fast (or light-weight) signatures” (comparing with CMACs or PubKey Signatures)
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 53
Remember: performance of algorithms
Comparisons in Java (standard JDK and Sun Crypto-Provider) http://www.javamex.com/tutorials/cryptography/ciphers.shtml http://www.javamex.com/tutorials/cryptography/hash_functions_algorithms.shtml
See also: Openssl speed benchmark (speed test library performance) http://wikis.sun.com/display/CryptoPerf/UltraSPARC+cryptographic+performance
© 2010, Henrique J. Domingos, DI/FCT/UNL 2.2 – Message Authentication and Secure Hash Functions 54
Suggested Readings
• W. Stallings, Network Security Essentials, Chap 3., section 3.1, 3.2
• More complete: W. Stallings, Cryptography and Network Security – Principles and Practices, 4th Edition, Pearson – Prentice Hall, Chap. 11 and 12
Recommended