View
224
Download
1
Category
Tags:
Preview:
Citation preview
ITEC4614 Network Security and Implementation 2
Outline
Authentication Requirements Authentication Functions Hash and MAC Algorithms
ITEC4614 Network Security and Implementation 3
What is Authentication?
A procedure to verify that received messages come from the alleged sourced and have not been altered. Digital Signature is one of the techniques including
countermeasure of repudiation by either source or destination.
ITEC4614 Network Security and Implementation 4
Authentication Requirements
Possible attacks1. Disclosure2. Traffic Analysis3. Masquerade4. Content Modification5. Sequence Modification6. Timing Modification7. Repudiation: source and destination repudiation
Attacks#1-2 -> Confidentiality Attacks#3-7 -> Authentication
Especially #7 is related to Digital Signature
ITEC4614 Network Security and Implementation 5
Authentication Functions
3 Types of cryptographic operations related to authentication: Message Encryption Message Authentication Code (MAC) Hash Function
ITEC4614 Network Security and Implementation 7
Conventional Encryption (cont.)
Conventional encryption provides a weak form of authentication
If Bob can recover a message encrypted with a shared key between Alice and Bob, Bob knows that Alice sent this message.
If the message has been altered, Bob would not be able to read it.
ITEC4614 Network Security and Implementation 9
Confidentiality and Authentication Implications of Message Encryption
ITEC4614 Network Security and Implementation 10
Confidentiality and Authentication Implications of Msg Encryption (cont.)
ITEC4614 Network Security and Implementation 11
Message Authentication Codes (MACs)
MAC involves the use of a secret key to generate a small fixed-size block of data.
A MAC is known as a cryptographic checksum:
MAC = CK(M)where M is a variable-length message,
K is a secret key shared between sender and receiver, and
CK is fixed-length authenticator MAC is appended to the message and sent over to receiver.
ITEC4614 Network Security and Implementation 12
Message Authentication Code
MAC is irreversible, but encryption isn’t.1. Alice and Bob share the secret K1.2. Alice calculates MAC1 = CK1(M)
AliceBob: {M, MAC1}3. Bob calculates MAC2 = CK1(M)
If MAC2 = MAC1, M is sent from Alice and not altered
Confidentiality can be provided by encryption with another shared key. AliceBob: {M, MAC1}K2
ITEC4614 Network Security and Implementation 13
Requirements for MACs
1. If an opponent observes M and CK(M), it should be computationally infeasible to construct M’ such that CK(M’) = CK(M).
2. CK(M) should be uniformly distributed in the sense that for randomly chosen messages, M and M’, the probability that CK(M) = CK(M’) is 2-n, where n is the number of bits in the MAC.
3. Let M’ be equal to some known transformation on M. That is, M’ = f(M). E.g. f may involve inverting one or more specific bits.
In that case, Pr[CK(M) = CK(M’)] = 2-n.
Using Symmetric Ciphers for MACs
can use any block cipher chaining mode and use final block as a MAC
Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC
or the leftmost M bits (16≤M≤64) of final block
but final MAC is now too small for security
14ITEC4614 Network Security and Implementation
ITEC4614 Network Security and Implementation 16
Hash Functions
A (one-way) hash function accepts a variable-size message M as input and produces a fixed-size hash code H(M) as output (called Message Digest)
Hash code provides error detection -> a change in one bit of message results in a change to the hash code.
ITEC4614 Network Security and Implementation 17
Requirements for a Hash Functions
1. H can be applied to a block of data of any size.2. H produces a fixed-length output.3. It is easy to compute H(x) from any given x.4. For any given h, computationally infeasible to find x, where H(x) =
h (“one-way property”)5. For any x, computationally infeasible to find y, y≠x, H(y) = H(x)
(“weak collision resistance”)6. Computationally infeasible to find any pair of (x, y) such than H(x)
= H(y) (“strong collision resistance”)
ITEC4614 Network Security and Implementation 18
Simple Hash Function
Bit-by-bit exclusive-OR (XOR)
Ci = bi1 bi2 … bim
where Ci = ith bit of the hash code, 1 ≤ i ≤ n
m = no. of n-bit blocks in the input
bij = ith bit in jth block
= XOR operation
ITEC4614 Network Security and Implementation 20
Basic Uses of Hash Functions (cont.)
S is shared btw sender and receiver
Hash and MAC Algorithms
Hash Functions condense arbitrary size message to fixed size by processing message in blocks through some compression function either custom or block cipher based
Message Authentication Code (MAC) fixed sized authenticator for some message to provide authentication for message by using block cipher mode or hash function
21ITEC4614 Network Security and Implementation
ITEC4614 Network Security and Implementation 22
Roadmap
Authentication Requirements Authentication Functions Hash and MAC Algorithms
MD5 SHA-1 HMAC
ITEC4614 Network Security and Implementation 23
General Structure of Hash Function
f: compression function taking two inputs and producing n-bit output
CV0 = IV = initial n-bit value
CVi = f(CVi-1, Yi-1), 1 ≤ i ≤ L
H(M) = CVL
ITEC4614 Network Security and Implementation 25
MD5 Steps
1. Append padding bits: up to 64 bits less than multiple of 512 bits2. Append length: 64-bit representation of the length in bits. If message is longer
than 264 bits, only low-order 64 bits of the length are used. Message length = K mod 264. K is the message represented in
decimal number. The message is represented as a sequence of 512-bit blocks Y0, Y1,
…, YL-1
So, we have L blocks of 512 bits Each block is divided into 16 32-bit words. Total number of words in the message is N represented by M[0,…, N-
1]
N = L x 16
ITEC4614 Network Security and Implementation 26
MD5 Steps (cont.)
3. Initialize MD buffer The buffer is represented as
4 32-bit registers (A, B, C, D) Initialization value (in HEX)
A: 01 23 45 67 (32 bits)
B: 89 AB CD EFC: FE DC BA 98D: 76 54 32 10
ITEC4614 Network Security and Implementation 27
MD5 Steps (cont.)
4. Process message in 512-bit (16-word) blocks
ITEC4614 Network Security and Implementation 29
MD5 Steps (cont.)
5. OutputCV0 = IV
CVq+1 = SUM32(CVq,RFI[Yq,RFH[Yq,RFG[Yq,RFF[Yq,CVq]]]])MD = CVL
IV = initial value of ABCD bufferYq = the qth 512-bit block of the messageL = the number of blocks in the messageCVq = chaining variable processed with qth message blockRFx = round function using primitive function xMD = final message digest valueSUM32 = Addition modulo 232 performed separately on each word of the pair of inputs
ITEC4614 Network Security and Implementation 30
MD5 Compression Function
S-bit circular left shift
Addition modulo
ITEC4614 Network Security and Implementation 31
MD5 Compression Function (cont.)
Each step is in the form:
a <- b + ((a + g(b,c,d)) + X[k] + T[i] <<< s)
a,b,c,d = four words of the bufferg = one of the primitive functions F,G,H,I<<<s = s-bit circular left shiftX[k] = M[q x 16 + k] = the kth 32-bit word in the qth 512-bit-block of the messageT[i] = the ith 32-bit word in matrix T+ = addition modulo 232
ITEC4614 Network Security and Implementation 33
SHA-1
MD5 accepts arbitrary length of input and produces 128-bit output.
SHA-1 accepts arbitrary length (less than 264 bits) of input and produces 160-bit output.
ITEC4614 Network Security and Implementation 34
SHA-1 Steps
1. Append padding bits to 64 bits less than multiple of 512 bit (length 448 mod 512)
2. Append length: length of original message in binary (64 bits)3. Initialize MD buffer (160 bits)
Initialization valueA: 67 45 23 01B: EF CD AB 89C: 98 BA DC FED: 10 32 54 76E: C3 D2 E1 F0
ITEC4614 Network Security and Implementation 35
SHA-1 Steps (cont.)
4. Process message in 512-bit (16-word) blocks: for each 512-bit message to be processed, 4 rounds, 20 steps each (compared to 16 steps each in MD5) So, 80 steps for 4 rounds
ITEC4614 Network Security and Implementation 37
SHA-1 Steps (cont.)
5. Output After all 512-bit blocks have been processed, the output from Lth
stage is the 160-bit message digest.
CV0 = IVCVq+1 = SUM32(CVq, ABCDEq)
IV = initial value of ABCDE bufferABCDEq = the output of the last round of processing of the qth message blocksL = no. of message blocksSUM32 = Addition modulo 232
ITEC4614 Network Security and Implementation 38
SHA-1 Compression Function In each of the 80 rounds of processing one 512-bit message block
A,B,C,D,E <- (E + f(t, B, C, D) + S5(A) + Wt + Kt), A, S30(B), C, D
A,B,C,D,E = words of the buffert = step number, 0 ≤ t ≤ 79f(t,B,C,D) = primitive function for step tSk = k-bit circular shift of the 32-bit argumentWt = a 32-bit word derived from the current 512-bit input blockKt = an additive constant for step t+ = addition modulo 232
ITEC4614 Network Security and Implementation 40
SHA-1 Compression Function (cont.)
Wt = S1(Wt-16 Wt-14 Wt-8 Wt-3)
ITEC4614 Network Security and Implementation 41
SHA-1 VS MD5
Security against brute-force attacks Length of SHA-1 output is longer than that of MD5
Security against cryptanalysis Both MD5 and SHA-1 are reported collision
Speed SHA-1 is slower than MD5 80 versus 64 steps each
round Simplicity and compactness
Both are simple
SHA-2
NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512 designed for compatibility with increased security
provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher
42ITEC4614 Network Security and Implementation
Keyed Hash Functions as MACs
want a MAC based on a hash function because hash functions are generally faster code for crypto hash functions widely available
hash includes a key along with message original proposal:
KeyedHash = Hash(Key|Message) some weaknesses were found with this
eventually led to development of HMAC
44ITEC4614 Network Security and Implementation
ITEC4614 Network Security and Implementation 45
HMAC (Hashed MAC)
A MAC based on a cryptographic hash code Motivations:
Executing a hash function faster than a symmetric encryption Library code for hash functions is widely available. No export restrictions from the US to other countries
HMAC
specified as Internet standard RFC2104 uses hash function on the message:
HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]
where K+ is the key padded out to size and opad, ipad are specified padding constants overhead is just 3 more hash calculations than the
message needs alone any hash function can be used
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
46ITEC4614 Network Security and Implementation
ITEC4614 Network Security and Implementation 47
H = hash functionM = MessageYi = ith block of M, 0 ≤ i ≤ L-1L = no. of blocks in Mb = no. of bits in a block (based on chosen hash fn)n = length of hash codeK = secret keyK+ = K padded with zeros on the left so that the length is b bitsipad = 00110110 repeated b/8 timesopad = 01011010 repeated b/8 times
HMACK = H[(K+ opad)||H[(K+ ipad)||M]]
HMAC Algorithm
ITEC4614 Network Security and Implementation 48
Advantages of HMAC
Existing hash function can be implemented in HMAC Easy to replace with more secure or updated hash algorithm HMAC is proven more secure than hash algorithms
HMAC Security
proved security of HMAC relates to that of the underlying hash algorithm
attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe
a very large number of messages) choose hash function used based on speed verses
security constraints
49ITEC4614 Network Security and Implementation
Recommended