Message Authentication and Hash Functions

    

Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of Hash Functions and MACs

Authentication Requirements


Kind of attacks (threats) in the context of communications across a network

1. 2. 3. 4. 5. 6. 7.

Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Repudiation In the realm of message confidentiality, and are addressed with encryption

Measures to deal with first two attacks: Measures to deal with items 3 thru 6
Message authentication

 

Measures to deal with items 7

Digital signature
2

Authentication Requirements


Message authentication
A procedure to verify that messages come from the alleged source and have not been altered Message authentication may also verify sequencing and timeliness

Digital signature
An authentication technique that also includes measures to counter repudiation by either source or destination

Authentication Functions

Authentication Functions


Message authentication or digital signature mechanism can be viewed as having two levels
At lower level: there must be some sort of functions producing an authenticator a value to be used to authenticate a message This lower level functions is used as primitive in a higher level authentication protocol

Authentication Functions

Authentication Functions


Three classes of functions that may be used to produce an authenticator Message encryption


Ciphertext itself serves as authenticator A public function of the message and a secret key that produces a fixed-length value that serves as the authenticator A public function that maps a message of any length into a fixed-length hash value, which serves as the authenticator

Message authentication code (MAC)



Hash function


Authentication Functions

Message Encryption


Conventional encryption can serve as authenticator

Conventional encryption provides authentication as well as confidentiality Requires recognizable plaintext or other structure to distinguish between well-formed legitimate plaintext and meaningless random bits


e.g., ASCII text, an appended checksum, or use of layered protocols

Authentication Functions

Basic Uses of Message Encryption

Authentication Functions

Ways of Providing Structure

Append an error-detecting code (frame check sequence (FCS)) to each message

Authentication Functions

Ways of Providing Structure - 2

Suppose all the datagrams except the IP header is encrypted. If an opponent substituted some arbitrary bit pattern for the encrypted TCP segment, the resulting plaintext would not include a meaningful header

Authentication Functions

Confidentiality and Authentication Implications of Message Encryption

10

Authentication Functions

Message Authentication Code



 

Uses a shared secret key to generate a fixedsize block of data (known as a cryptographic checksum or MAC) that is appended to the message MAC = CK(M) Assurances:
Message has not been altered Message is from alleged sender Message sequence is unaltered (requires internal sequencing)

Similar to encryption but MAC algorithm needs not be reversible 11

Authentication Functions

Basic Uses of MAC

12

Authentication Functions

Basic Uses of MAC

13

Authentication Functions

Why Use MACs?

i.e., why not just use encryption?
     

Cleartext stays clear MAC might be cheaper Broadcast Authentication of executable codes Architectural flexibility Separation of authentication check from message use

14

Authentication Functions

Hash Function


Converts a variable size message M into fixed size hash code H(M) (Sometimes called a message digest) Can be used with encryption for authentication
E(M || H) M || E(H) M || signed H E( M || signed H ) gives confidentiality M || H( M || K ) E( M || H( M || K ) )
15

Authentication Functions

Basic Uses of Hash Function

16

Authentication Functions

Basic Uses of Hash Function

17

Authentication Functions

Basic Uses of Hash Function

18

MACs

Message Authentication Codes

MAC= CK(M) Key length requirements

Sufficient key length to thwart brute force attack

19

Hash Functions

Hash Functions
    

h = H(M) M is a variable-length message, h is a fixedlength hash value, H is a hash function The hash value is appended at the source The receiver authenticates the message by recomputing the hash value Because the hash function itself is not considered to be secret, some means is required to protect the hash value
20

Hash Functions

Hash Function Requirements

1. 2. 3. 4.

5.

6.

H can be applied to any size data block H produces fixed-length output H(x) is relatively easy to compute for any given x H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x) H is weakly collision resistant: given x, it is computationally infeasible to find any y { x s.t. H(x) = H(y) H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y)

21

Hash Functions

Hash Function Requirements

  

One-way property is essential for authentication Weak collision resistance is necessary to prevent forgery Strong collision resistance is important for resistance to birthday attack

22

Hash Functions

Simple Hash Functions



Operation of hash functions

The input is viewed as a sequence of n-bit blocks The input is processed one block at a time in an iterative fashion to produce an n-bit hash function

Simplest hash function: Bitwise XOR of every block

Ci = bi1 bi2 bim
  

Ci = i-th bit of the hash code, 1 e i e n m = number of n-bit blocks in the input bij = i-th bit in j-th block

Known as longitudinal redundancy check

23

Hash Functions

Simple Hash Functions

Improvement over the simple bitwise XOR
Initially set the n-bit hash value to zero Process each successive n-bit block of data as follows Rotate the current hash value to the left by one bit XOR the block into the hash value

24

Birthday Attack

Birthday Attack


  

If the adversary can generate 2m/2 variants of a valid message and an equal number of fraudulent messages The two sets are compared to find one message from each set with a common hash value The valid message is offered for signature The fraudulent message with the same hash value is inserted in its place If a 64-bit hash code is used, the level of effort is only on the order of 232 Conclusion: the length of the hash code must be substantial

 

25

Birthday Attack

Generating 2m/2 Variants of Valid Messages

Insert a number of space-backspace-space character pairs between words throughout the document. Variations could then be generated by substituting space-backspace-space in selected instances Alternatively, simply reword the message but retain the meaning

26

Security of Hash Functions and MACs

Brute-Force Attack of Hash Functions



Three desirable properties of hash functions

One-way: For any given code h, it is computationally infeasible to find x s.t. H(x) = h Weak collision resistance: For any given block x, it is computationally infeasible to find y { x s.t. H(y) = H(x) Strong collision resistance: It is computationally infeasible to find any pair (x, y) s.t. H(y) = H(x)

Brute-force attack on n-bit hash code

One-way and weak collision require 2n effort Strong collision requires 2n/2 effort @ If strong collision resistance is required (and this is desirable for a general-purpose secure hash code), 2n/2 determines the strength of hash code against brute-force attack Currently, two most popular hash codes, SHA-1 and RIPEMD160, provide a 160-bit hash code length
27