Network Network SecuritySecurity

ProfessorProfessorAdeel AkramAdeel Akram

Modern Block CyphersModern Block Cyphers

OutlineOutline►Modern Block Cyphers Modern Block Cyphers

Block vs. Stream CyphersBlock vs. Stream Cyphers Block Cipher PrinciplesBlock Cipher Principles Substitution-Permutation CiphersSubstitution-Permutation Ciphers Confusion and DiffusionConfusion and Diffusion Feistel CipherFeistel Cipher Data Encryption Standard (DES)Data Encryption Standard (DES) Advanced Encryption StandardAdvanced Encryption Standard Secure Hash Algorithm (SHA-1)Secure Hash Algorithm (SHA-1) HMACHMAC

13/10/2010 4

Modern Block CiphersModern Block Ciphers

►one of the most widely used types of one of the most widely used types of cryptographic algorithms cryptographic algorithms

►provide secrecy and/or authentication provide secrecy and/or authentication servicesservices

► in particular will introduce DES (Data in particular will introduce DES (Data Encryption Standard)Encryption Standard)

13/10/2010 5

Block vs. Stream CiphersBlock vs. Stream Ciphers

►block ciphers process messages in into block ciphers process messages in into blocks, each of which is then blocks, each of which is then en/decrypted en/decrypted

► like a substitution on very big like a substitution on very big characterscharacters 64-bits or more 64-bits or more

►stream ciphers stream ciphers process messages a bit process messages a bit or byte at a time when en/decryptingor byte at a time when en/decrypting

►many current ciphers are block ciphersmany current ciphers are block ciphers

13/10/2010 6

Block Cipher PrinciplesBlock Cipher Principles

► most symmetric block ciphers are based on a most symmetric block ciphers are based on a Feistel Cipher StructureFeistel Cipher Structure

► needed since must be able to needed since must be able to decryptdecrypt ciphertext to ciphertext to recover messages efficientlyrecover messages efficiently

► block ciphers look like an extremely large block ciphers look like an extremely large substitution substitution

► would need table of 2would need table of 26464 entries for a 64-bit block entries for a 64-bit block ► instead create from smaller building blocks instead create from smaller building blocks ► using idea of a product cipher using idea of a product cipher

13/10/2010 7

Claude Shannon and Substitution-Claude Shannon and Substitution-Permutation CiphersPermutation Ciphers

► in 1949 Claude Shannon introduced idea of in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networkssubstitution-permutation (S-P) networks modern substitution-transposition product cipher modern substitution-transposition product cipher

► these form the basis of modern block ciphers these form the basis of modern block ciphers ► S-P networks are based on the two primitive S-P networks are based on the two primitive

cryptographic operations we have seen before: cryptographic operations we have seen before: substitutionsubstitution (S-box) (S-box) permutation permutation (P-box)(P-box)

► provide provide confusionconfusion and and diffusiondiffusion of message of message

13/10/2010 8

Confusion and DiffusionConfusion and Diffusion

►diffusiondiffusion – dissipates statistical – dissipates statistical structure of plaintext over bulk of structure of plaintext over bulk of ciphertextciphertext

►confusionconfusion – makes relationship – makes relationship between ciphertext and key as between ciphertext and key as complex as possiblecomplex as possible

13/10/2010 9

Feistel Cipher StructureFeistel Cipher Structure

►Horst Feistel devised the Horst Feistel devised the feistel cipherfeistel cipher based on concept of invertible product cipherbased on concept of invertible product cipher

►partitions input block into two halvespartitions input block into two halves process through multiple rounds whichprocess through multiple rounds which perform a substitution on left data halfperform a substitution on left data half based on round function of right half & subkeybased on round function of right half & subkey then have permutation swapping halvesthen have permutation swapping halves

► implements Shannon’s substitution-implements Shannon’s substitution-permutation network conceptpermutation network concept

13/10/2010 10

Feistel Cipher StructureFeistel Cipher Structure

13/10/2010 11

Feistel Cipher DecryptionFeistel Cipher Decryption

13/10/2010 12

Data Encryption Standard (DES)Data Encryption Standard (DES)

►most widely used block cipher in world most widely used block cipher in world ►adopted in 1977 by NBS (now NIST)adopted in 1977 by NBS (now NIST)

as FIPS PUB 46as FIPS PUB 46

►encrypts 64-bit data using 56-bit keyencrypts 64-bit data using 56-bit key►has widespread usehas widespread use►has been considerable controversy has been considerable controversy

over its securityover its security

13/10/2010 13

DES EncryptionDES Encryption

13/10/2010 14

Initial Permutation IPInitial Permutation IP

►first step of the data computation first step of the data computation ► IP reorders the input data bits IP reorders the input data bits ►even bits to LH half, odd bits to RH half even bits to LH half, odd bits to RH half ►quite regular in structure (easy in h/w)quite regular in structure (easy in h/w)►example:example:

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

13/10/2010 15

DES Round StructureDES Round Structure

►uses two 32-bit L & R halvesuses two 32-bit L & R halves►as for any Feistel cipher can describe as:as for any Feistel cipher can describe as:

LLii = = RRii–1–1

RRii = = LLii–1–1 xor F( xor F(RRii–1–1, , KKii))►takes 32-bit R half and 48-bit subkey and:takes 32-bit R half and 48-bit subkey and:

expands R to 48-bits using perm Eexpands R to 48-bits using perm E adds to subkeyadds to subkey passes through 8 S-boxes to get 32-bit resultpasses through 8 S-boxes to get 32-bit result finally permutes this using 32-bit perm Pfinally permutes this using 32-bit perm P

13/10/2010 16

DES Round StructureDES Round Structure

13/10/2010 17

Substitution Boxes SSubstitution Boxes S

►have eight S-boxes which map 6 to 4 bits have eight S-boxes which map 6 to 4 bits ►each S-box is actually 4 little 4 bit boxes each S-box is actually 4 little 4 bit boxes

outer bits 1 & 6 (outer bits 1 & 6 (rowrow bits) select one rows bits) select one rows inner bits 2-5 (inner bits 2-5 (colcol bits) are substituted bits) are substituted result is 8 lots of 4 bits, or 32 bitsresult is 8 lots of 4 bits, or 32 bits

►row selection depends on both data & row selection depends on both data & keykey feature known as autoclaving (autokeying)feature known as autoclaving (autokeying)

►example:example:S(18 09 12 3d 11 17 38 39) = 5fd25e03S(18 09 12 3d 11 17 38 39) = 5fd25e03

13/10/2010 18

DES Key ScheduleDES Key Schedule

► forms subkeys used in each roundforms subkeys used in each round►consists of:consists of:

initial permutation of the key (PC1) which initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves selects 56-bits in two 28-bit halves

16 stages consisting of: 16 stages consisting of: ►selecting 24-bits from each half selecting 24-bits from each half ►permuting them by PC2 for use in function f, permuting them by PC2 for use in function f, ►rotating rotating each halfeach half separately either 1 or 2 separately either 1 or 2

places depending on the places depending on the key rotation key rotation scheduleschedule K K

13/10/2010 19

Strength of DES – Key SizeStrength of DES – Key Size

►56-bit keys have 256-bit keys have 25656 = 7.2 x 10 = 7.2 x 101616 values values►brute force search looks hardbrute force search looks hard►recent advances have shown is possiblerecent advances have shown is possible

in 1997 on Internet in a few months in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs!in 1999 above combined in 22hrs!

►still must be able to recognize plaintextstill must be able to recognize plaintext►now considering alternatives to DESnow considering alternatives to DES

13/10/2010 20

Modes of OperationModes of Operation

► block ciphers encrypt fixed size blocksblock ciphers encrypt fixed size blocks► eg. DES encrypts 64-bit blocks, with 56-bit key eg. DES encrypts 64-bit blocks, with 56-bit key ► need way to use in practise, given usually have need way to use in practise, given usually have

arbitrary amount of information to encrypt arbitrary amount of information to encrypt ► four were defined for DES in ANSI standard four were defined for DES in ANSI standard ANSI ANSI

X3.106-1983 Modes of UseX3.106-1983 Modes of Use► subsequently now have 5 for DES and AESsubsequently now have 5 for DES and AES► have have blockblock and and streamstream modes modes

13/10/2010 21

Electronic Codebook Book Electronic Codebook Book (ECB)(ECB)

►message is broken into independent message is broken into independent blocks which are encrypted blocks which are encrypted

►each block is a value which is each block is a value which is substituted, like a codebook, hence name substituted, like a codebook, hence name

►each block is encoded independently of each block is encoded independently of the other blocks the other blocks CCii = DES = DESK1K1 (P (Pii))

►uses: secure transmission of single uses: secure transmission of single valuesvalues

13/10/2010 22

Electronic Codebook Book Electronic Codebook Book (ECB)(ECB)

13/10/2010 23

Advantages and Limitations of ECBAdvantages and Limitations of ECB

►repetitions in message may show in repetitions in message may show in ciphertext ciphertext if aligned with message block if aligned with message block particularly with data such graphics particularly with data such graphics or with messages that change very little, or with messages that change very little,

which become a code-book analysis problem which become a code-book analysis problem ►weakness due to encrypted message weakness due to encrypted message

blocks being independent blocks being independent ►main use is sending a few blocks of data main use is sending a few blocks of data

13/10/2010 24

Cipher Block Chaining (CBC) Cipher Block Chaining (CBC)

►message is broken into blocks message is broken into blocks ►but these are linked together in the but these are linked together in the

encryption operation encryption operation ►each previous cipher blocks is chained each previous cipher blocks is chained

with current plaintext block, hence name with current plaintext block, hence name ►use Initial Vector (IV) to start process use Initial Vector (IV) to start process

CCii = DES = DESK1K1(P(Pii XOR C XOR Ci-1i-1))

CC-1-1 = IV = IV ►uses: bulk data encryption, authenticationuses: bulk data encryption, authentication

13/10/2010 25

Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)

13/10/2010 26

Advantages and Limitations of CBCAdvantages and Limitations of CBC

► each ciphertext block depends on each ciphertext block depends on allall message blocks message blocks ► thus a change in the message affects all ciphertext blocks thus a change in the message affects all ciphertext blocks

after the change as well as the original block after the change as well as the original block ► need need Initial ValueInitial Value (IV) known to sender & receiver (IV) known to sender & receiver

however if IV is sent in the clear, an attacker can change bits of however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate the first block, and change IV to compensate

hence either IV must be a fixed value (as in EFTPOS) or it must be hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message sent encrypted in ECB mode before rest of message

► at end of message, handle possible last short block at end of message, handle possible last short block by padding either with known non-data value (eg nulls)by padding either with known non-data value (eg nulls) or pad last block with count of pad size or pad last block with count of pad size

► eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count

13/10/2010 27

Cipher FeedBack (CFB)Cipher FeedBack (CFB)

► message is treated as a stream of bits message is treated as a stream of bits ► added to the output of the block cipher added to the output of the block cipher ► result is feed back for next stage (hence name) result is feed back for next stage (hence name) ► standard allows any number of bit (1,8 or 64 or standard allows any number of bit (1,8 or 64 or

whatever) to be feed back whatever) to be feed back denoted CFB-1, CFB-8, CFB-64 etc denoted CFB-1, CFB-8, CFB-64 etc

► is most efficient to use all 64 bits (CFB-64)is most efficient to use all 64 bits (CFB-64)CCii = P = Pii XOR DES XOR DESK1K1(C(Ci-1i-1))

CC-1-1 = IV = IV

► uses: stream data encryption, authenticationuses: stream data encryption, authentication

13/10/2010 28

Cipher FeedBack (CFB)Cipher FeedBack (CFB)

13/10/2010 29

Advantages and Limitations of CFBAdvantages and Limitations of CFB

►appropriate when data arrives in appropriate when data arrives in bits/bytes bits/bytes

►most common stream mode most common stream mode ► limitation is need to stall while do block limitation is need to stall while do block

encryption after every n-bits encryption after every n-bits ►note that the block cipher is used in note that the block cipher is used in

encryptionencryption mode at mode at bothboth ends ends ►errors propogate for several blocks after errors propogate for several blocks after

the error the error

13/10/2010 30

Output FeedBack (OFB)Output FeedBack (OFB)

► message is treated as a stream of bits message is treated as a stream of bits ► output of cipher is added to message output of cipher is added to message ► output is then feed back (hence name) output is then feed back (hence name) ► feedback is independent of message feedback is independent of message ► can be computed in advancecan be computed in advance

CCii = P = Pii XOR O XOR Oii

OOii = DES = DESK1K1(O(Oi-1i-1))

OO-1-1 = IV = IV

► uses: stream encryption over noisy channelsuses: stream encryption over noisy channels

13/10/2010 31

Output FeedBack (OFB)Output FeedBack (OFB)

13/10/2010 32

Advantages and Limitations of OFBAdvantages and Limitations of OFB

► used when error feedback a problem or where need to used when error feedback a problem or where need to encryptions before message is available encryptions before message is available

► superficially similar to CFB superficially similar to CFB ► but feedback is from the output of cipher and is independent but feedback is from the output of cipher and is independent

of message of message ► a variation of a Vernam cipher a variation of a Vernam cipher

hence must hence must nevernever reuse the same sequence (key+IV) reuse the same sequence (key+IV) ► sender and receiver must remain in sync, and some recovery sender and receiver must remain in sync, and some recovery

method is needed to ensure this occurs method is needed to ensure this occurs ► originally specified with m-bit feedback in the standards originally specified with m-bit feedback in the standards ► subsequent research has shown that only subsequent research has shown that only OFB-64OFB-64 should should

ever be usedever be used

13/10/2010 33

Counter (CTR)Counter (CTR)

►a “new” mode, though proposed early ona “new” mode, though proposed early on►similar to OFB but encrypts counter value similar to OFB but encrypts counter value

rather than any feedback valuerather than any feedback value►must have a different key & counter value must have a different key & counter value

for every plaintext block (never reused)for every plaintext block (never reused)CCii = P = Pii XOR O XOR Oii

OOii = DES = DESK1K1(i)(i)

►uses: high-speed network encryptionsuses: high-speed network encryptions

13/10/2010 34

Counter (CTR)Counter (CTR)

13/10/2010 35

Advantages and Limitations of CTRAdvantages and Limitations of CTR

►efficiencyefficiency can do parallel encryptionscan do parallel encryptions in advance of needin advance of need good for bursty high speed linksgood for bursty high speed links

►random access to encrypted data blocksrandom access to encrypted data blocks►provable security (good as other modes)provable security (good as other modes)►but must ensure never reuse key/counter but must ensure never reuse key/counter

values, otherwise could break (cf OFB)values, otherwise could break (cf OFB)

13/10/2010 36

Advanced Encryption Advanced Encryption StandardStandard

► clear a replacement for DES was neededclear a replacement for DES was needed have theoretical attacks that can break ithave theoretical attacks that can break it have demonstrated exhaustive key search attackshave demonstrated exhaustive key search attacks

► can use Triple-DES – but slow with small blockscan use Triple-DES – but slow with small blocks► US NIST issued call for ciphers in 1997US NIST issued call for ciphers in 1997► 15 candidates accepted in Jun 98 15 candidates accepted in Jun 98 ► 5 were shortlisted in Aug-99 5 were shortlisted in Aug-99 ► Rijndael was selected as the AES in Oct-2000Rijndael was selected as the AES in Oct-2000► issued as FIPS PUB 197 standard in Nov-2001 issued as FIPS PUB 197 standard in Nov-2001

13/10/2010 37

AES RequirementsAES Requirements

►128-bit data, 128/192/256-bit keys 128-bit data, 128/192/256-bit keys ►stronger & faster than Triple-DES stronger & faster than Triple-DES ►active life of 20-30 years (+ archival use) active life of 20-30 years (+ archival use) ►provide full specification & design details provide full specification & design details ►both C & Java implementationsboth C & Java implementations►NIST have released all submissions & NIST have released all submissions &

unclassified analysesunclassified analyses

13/10/2010 38

AES Evaluation CriteriaAES Evaluation Criteria

► initial criteria:initial criteria: security – effort to practically cryptanalysesecurity – effort to practically cryptanalyse cost – computationalcost – computational algorithm & implementation characteristicsalgorithm & implementation characteristics

►final criteriafinal criteria general securitygeneral security software & hardware implementation easesoftware & hardware implementation ease implementation attacksimplementation attacks flexibility (in en/decrypt, keying, other flexibility (in en/decrypt, keying, other

factors)factors)

13/10/2010 39

AES ShortlistAES Shortlist

► after testing and evaluation, shortlist in Aug-99: after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin Twofish (USA) - complex, v. fast, high security margin

► then subject to further analysis & commentthen subject to further analysis & comment► saw contrast between algorithms with saw contrast between algorithms with

few complex rounds verses many simple rounds few complex rounds verses many simple rounds which refined existing ciphers verses new proposalswhich refined existing ciphers verses new proposals

13/10/2010 40

The AES Cipher - Rijndael The AES Cipher - Rijndael

►designed by Rijmen-Daemen in Belgium designed by Rijmen-Daemen in Belgium ►has 128/192/256 bit keys, 128 bit data has 128/192/256 bit keys, 128 bit data ►an an iterativeiterative rather than rather than feistelfeistel cipher cipher

treats data in 4 groups of 4 bytestreats data in 4 groups of 4 bytes operates an entire block in every roundoperates an entire block in every round

►designed to be:designed to be: resistant against known attacksresistant against known attacks speed and code compactness on many CPUsspeed and code compactness on many CPUs design simplicitydesign simplicity

13/10/2010 41

RijndaelRijndael

► processes data as processes data as 4 groups of 4 bytes (state)4 groups of 4 bytes (state)► has 9/11/13 rounds in which state undergoes: has 9/11/13 rounds in which state undergoes:

byte substitution (1 S-box used on every byte) byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multipy of groups) mix columns (subs using matrix multipy of groups) add round key (XOR state with key material) add round key (XOR state with key material)

► initial XOR key material & incomplete last roundinitial XOR key material & incomplete last round► all operations can be combined into XOR and table all operations can be combined into XOR and table

lookups - hence very fast & efficientlookups - hence very fast & efficient

13/10/2010 42

RijndaelRijndael

13/10/2010 43

Byte SubstitutionByte Substitution

► a simple substitution of each bytea simple substitution of each byte► uses one table of 16x16 bytes containing a uses one table of 16x16 bytes containing a

permutation of all 256 8-bit valuespermutation of all 256 8-bit values► each byte of state is replaced by byte in row (left 4-each byte of state is replaced by byte in row (left 4-

bits) & column (right 4-bits)bits) & column (right 4-bits) eg. byte {95} is replaced by row 9 col 5 byteeg. byte {95} is replaced by row 9 col 5 byte which is the value {2A}which is the value {2A}

► S-box is constructed using a defined transformation S-box is constructed using a defined transformation of the values in GF(2of the values in GF(288))

► designed to be resistant to all known attacksdesigned to be resistant to all known attacks

13/10/2010 44

Shift RowsShift Rows

►a circular byte shift in each eacha circular byte shift in each each 11stst row is unchanged row is unchanged 22ndnd row does 1 byte circular shift to left row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left4th row does 3 byte circular shift to left

►decrypt does shifts to rightdecrypt does shifts to right►since state is processed by columns, since state is processed by columns,

this step permutes bytes between the this step permutes bytes between the columnscolumns

13/10/2010 45

Mix ColumnsMix Columns

►each column is processed separatelyeach column is processed separately►each byte is replaced by a value each byte is replaced by a value

dependent on all 4 bytes in the columndependent on all 4 bytes in the column►effectively a matrix multiplication in effectively a matrix multiplication in

GF(2GF(288) using prime poly m(x) ) using prime poly m(x) =x=x88+x+x44+x+x33+x+1+x+1

13/10/2010 46

Add Round KeyAdd Round Key

►XOR state with 128-bits of the round XOR state with 128-bits of the round keykey

►again processed by column (though again processed by column (though effectively a series of byte operations)effectively a series of byte operations)

► inverse for decryption is identical since inverse for decryption is identical since XOR is own inverse, just with correct XOR is own inverse, just with correct round keyround key

►designed to be as simple as possibledesigned to be as simple as possible

13/10/2010 47

AES RoundAES Round

13/10/2010 48

AES Key ExpansionAES Key Expansion

► takes 128-bit (16-byte) key and expands into array takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit wordsof 44/52/60 32-bit words

► start by copying key into first 4 wordsstart by copying key into first 4 words► then loop creating words that depend on values in then loop creating words that depend on values in

previous & 4 places backprevious & 4 places back in 3 of 4 cases just XOR these togetherin 3 of 4 cases just XOR these together every 4every 4thth has S-box + rotate + XOR constant of previous has S-box + rotate + XOR constant of previous

before XOR togetherbefore XOR together

► designed to resist known attacksdesigned to resist known attacks

13/10/2010 49

AES DecryptionAES Decryption

►AES decryption is not identical to AES decryption is not identical to encryption since steps done in reverseencryption since steps done in reverse

►but can define an equivalent inverse but can define an equivalent inverse cipher with steps as for encryptioncipher with steps as for encryption but using inverses of each stepbut using inverses of each step with a different key schedulewith a different key schedule

►works since result is unchanged whenworks since result is unchanged when swap byte substitution & shift rowsswap byte substitution & shift rows swap mix columns & add (tweaked) round swap mix columns & add (tweaked) round

keykey

13/10/2010 50

Message AuthenticationMessage Authentication

►message authentication is concerned message authentication is concerned with: with: protecting the integrity of a message protecting the integrity of a message validating identity of originator validating identity of originator non-repudiation of origin (dispute resolution)non-repudiation of origin (dispute resolution)

►will consider the security requirementswill consider the security requirements►then three alternative functions used:then three alternative functions used:

message encryptionmessage encryption message authentication code (MAC)message authentication code (MAC) hash functionhash function

13/10/2010 51

Security RequirementsSecurity Requirements

► disclosuredisclosure► traffic analysistraffic analysis► masquerademasquerade► content modificationcontent modification► sequence modificationsequence modification► timing modificationtiming modification► source repudiationsource repudiation► destination repudiationdestination repudiation

13/10/2010 52

Message EncryptionMessage Encryption

►message encryption by itself also message encryption by itself also provides a measure of authenticationprovides a measure of authentication

► if symmetric encryption is used then:if symmetric encryption is used then: receiver know sender must have created itreceiver know sender must have created it since only sender and receiver now key usedsince only sender and receiver now key used know content cannot of been alteredknow content cannot of been altered if message has if message has suitable structure, suitable structure,

redundancy or a checksum to detect any redundancy or a checksum to detect any changeschanges

13/10/2010 53

Message EncryptionMessage Encryption

► if public-key encryption is used:if public-key encryption is used: encryption provides no confidence of senderencryption provides no confidence of sender since anyone potentially knows public-keysince anyone potentially knows public-key however if however if

►sender sender signssigns message using their private-key message using their private-key►then encrypts with recipients public keythen encrypts with recipients public key►have both secrecy and authenticationhave both secrecy and authentication

again need to recognize corrupted messagesagain need to recognize corrupted messages but at cost of two public-key uses on but at cost of two public-key uses on

messagemessage

13/10/2010 54

Message Authentication Code (MAC)Message Authentication Code (MAC)

►generated by an algorithm that creates generated by an algorithm that creates a small fixed-sized blocka small fixed-sized block depending on both message and some keydepending on both message and some key like encryption though need not be like encryption though need not be

reversiblereversible►appended to message as a appended to message as a signaturesignature►receiver performs same computation on receiver performs same computation on

message and checks it matches the MACmessage and checks it matches the MAC►provides assurance that message is provides assurance that message is

unaltered and comes from senderunaltered and comes from sender

13/10/2010 55

Message Authentication CodeMessage Authentication Code

13/10/2010 56

Message Authentication Message Authentication CodesCodes

► as shown the MAC provides confidentialityas shown the MAC provides confidentiality► can also use encryption for secrecycan also use encryption for secrecy

generally use separate keys for eachgenerally use separate keys for each can compute MAC either before or after encryptioncan compute MAC either before or after encryption is generally regarded as better done beforeis generally regarded as better done before

► why use a MAC?why use a MAC? sometimes only authentication is neededsometimes only authentication is needed sometimes need authentication to persist longer than the sometimes need authentication to persist longer than the

encryption (eg. archival use)encryption (eg. archival use)► note that a MAC is not a digital signaturenote that a MAC is not a digital signature

13/10/2010 57

MAC PropertiesMAC Properties

►a MAC is a cryptographic checksuma MAC is a cryptographic checksumMAC = CMAC = CKK(M)(M)

condenses a variable-length message Mcondenses a variable-length message M using a secret key Kusing a secret key K to a fixed-sized authenticatorto a fixed-sized authenticator

► is a many-to-one functionis a many-to-one function potentially many messages have same potentially many messages have same

MACMAC but finding these needs to be very difficultbut finding these needs to be very difficult

13/10/2010 58

Requirements for MACsRequirements for MACs

► taking into account the types of taking into account the types of attacksattacks

► need the MAC to satisfy the following:need the MAC to satisfy the following:1.1. knowing a message and MAC, is knowing a message and MAC, is

infeasible to find another message with infeasible to find another message with same MACsame MAC

2.2. MACs should be uniformly distributedMACs should be uniformly distributed

3.3. MAC should depend equally on all bits of MAC should depend equally on all bits of the messagethe message

13/10/2010 59

Using Symmetric Ciphers for MACsUsing Symmetric Ciphers for MACs

►can use any block cipher chaining mode can use any block cipher chaining mode and use final block as a MACand use final block as a MAC

►Data Authentication Algorithm (DAA)Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBCis a widely used MAC based on DES-CBC using IV=0 and zero-pad of final blockusing IV=0 and zero-pad of final block encrypt message using DES in CBC modeencrypt message using DES in CBC mode and send just the final block as the MACand send just the final block as the MAC

►or the leftmost M bits (16≤M≤64) of final blockor the leftmost M bits (16≤M≤64) of final block

►but final MAC is now too small for securitybut final MAC is now too small for security

13/10/2010 60

Hash FunctionsHash Functions

►condenses arbitrary message to fixed condenses arbitrary message to fixed size size

►usually assume that the hash function is usually assume that the hash function is public and not keyedpublic and not keyed cf. MAC which is keyedcf. MAC which is keyed

►hash used to detect changes to messagehash used to detect changes to message►can use in various ways with messagecan use in various ways with message►most often to create a digital signaturemost often to create a digital signature

13/10/2010 61

Hash Functions & Digital SignaturesHash Functions & Digital Signatures

13/10/2010 62

Hash Function PropertiesHash Function Properties

►a Hash Function produces a fingerprint a Hash Function produces a fingerprint of some file/message/dataof some file/message/datah = H(M)h = H(M)

condenses a variable-length message Mcondenses a variable-length message M to a fixed-sized fingerprintto a fixed-sized fingerprint

►assumed to be publicassumed to be public

13/10/2010 63

Requirements for Hash Requirements for Hash FunctionsFunctions

1.1. can be applied to any sized message can be applied to any sized message MM

2.2. produces fixed-length output produces fixed-length output hh

3.3. is easy to compute is easy to compute h=H(M)h=H(M) for any message for any message MM

4.4. given given hh is infeasible to find is infeasible to find xx s.t. s.t. H(x)=hH(x)=h• one-way propertyone-way property

5.5. given given xx is infeasible to find is infeasible to find yy s.t s.t. H(y)=H(x). H(y)=H(x)• weak collision resistanceweak collision resistance

6.6. is infeasible to find any is infeasible to find any x,yx,y s.t s.t. H(y)=H(x). H(y)=H(x)• strong collision resistancestrong collision resistance

13/10/2010 64

Simple Hash FunctionsSimple Hash Functions

►are several proposals for simple are several proposals for simple functionsfunctions

►based on XOR of message blocksbased on XOR of message blocks►not secure since can manipulate any not secure since can manipulate any

message and either not change hash message and either not change hash or change hash alsoor change hash also

►need a stronger cryptographic functionneed a stronger cryptographic function

13/10/2010 65

Hash AlgorithmsHash Algorithms

►see similarities in the evolution of hash see similarities in the evolution of hash functions & block ciphersfunctions & block ciphers increasing power of brute-force attacksincreasing power of brute-force attacks leading to evolution in algorithmsleading to evolution in algorithms from DES to AES in block ciphersfrom DES to AES in block ciphers from MD4 & MD5 to SHA-1 & RIPEMD-160 from MD4 & MD5 to SHA-1 & RIPEMD-160

in hash algorithmsin hash algorithms► likewise tend to use common iterative likewise tend to use common iterative

structure as do block ciphersstructure as do block ciphers

QuestionsQuestions

??????????????????????????????????????????????????????

??????????????adeel.akram@uettaxila.edadeel.akram@uettaxila.ed

u.pku.pk