Professional Documents
Culture Documents
Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of Hash Functions and MACs
Authentication Requirements
Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Repudiation In the realm of message confidentiality, and are addressed with encryption
Measures to deal with first two attacks: Measures to deal with items 3 thru 6
Message authentication
Authentication Requirements
Message authentication
A procedure to verify that messages come from the alleged source and have not been altered Message authentication may also verify sequencing and timeliness
Digital signature
An authentication technique that also includes measures to counter repudiation by either source or destination
Authentication Functions
Authentication Functions
Message authentication or digital signature mechanism can be viewed as having two levels
At lower level: there must be some sort of functions producing an authenticator a value to be used to authenticate a message This lower level functions is used as primitive in a higher level authentication protocol
Authentication Functions
Authentication Functions
Three classes of functions that may be used to produce an authenticator Message encryption
Ciphertext itself serves as authenticator A public function of the message and a secret key that produces a fixed-length value that serves as the authenticator A public function that maps a message of any length into a fixed-length hash value, which serves as the authenticator
Hash function
Authentication Functions
Message Encryption
Authentication Functions
Authentication Functions
Authentication Functions
Authentication Functions
10
Authentication Functions
Uses a shared secret key to generate a fixedsize block of data (known as a cryptographic checksum or MAC) that is appended to the message MAC = CK(M) Assurances:
Message has not been altered Message is from alleged sender Message sequence is unaltered (requires internal sequencing)
Authentication Functions
12
Authentication Functions
13
Authentication Functions
Cleartext stays clear MAC might be cheaper Broadcast Authentication of executable codes Architectural flexibility Separation of authentication check from message use
14
Authentication Functions
Hash Function
Converts a variable size message M into fixed size hash code H(M) (Sometimes called a message digest) Can be used with encryption for authentication
E(M || H) M || E(H) M || signed H E( M || signed H ) gives confidentiality M || H( M || K ) E( M || H( M || K ) )
15
Authentication Functions
16
Authentication Functions
17
Authentication Functions
18
MACs
19
Hash Functions
Hash Functions
h = H(M) M is a variable-length message, h is a fixedlength hash value, H is a hash function The hash value is appended at the source The receiver authenticates the message by recomputing the hash value Because the hash function itself is not considered to be secret, some means is required to protect the hash value
20
Hash Functions
5.
6.
H can be applied to any size data block H produces fixed-length output H(x) is relatively easy to compute for any given x H is one-way, i.e., given h, it is computationally infeasible to find any x s.t. h = H(x) H is weakly collision resistant: given x, it is computationally infeasible to find any y { x s.t. H(x) = H(y) H is strongly collision resistant: it is computationally infeasible to find any x and y s.t. H(x) = H(y)
21
Hash Functions
One-way property is essential for authentication Weak collision resistance is necessary to prevent forgery Strong collision resistance is important for resistance to birthday attack
22
Hash Functions
Ci = i-th bit of the hash code, 1 e i e n m = number of n-bit blocks in the input bij = i-th bit in j-th block
23
Hash Functions
24
Birthday Attack
Birthday Attack
If the adversary can generate 2m/2 variants of a valid message and an equal number of fraudulent messages The two sets are compared to find one message from each set with a common hash value The valid message is offered for signature The fraudulent message with the same hash value is inserted in its place If a 64-bit hash code is used, the level of effort is only on the order of 232 Conclusion: the length of the hash code must be substantial
25
Birthday Attack
26