Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.

Slides:



Advertisements
Similar presentations
Lecture 5: Cryptographic Hashes
Advertisements

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Goal Ensure integrity of messages, even in presence of
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part I.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Cryptographic Hash Functions Message Authentication Digital Signatures.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Chapter 21 Public-Key Cryptography and Message Authentication.
Theory of Computation II Topic presented by: Alberto Aguilar Gonzalez.
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
Confidentiality Confidentiality is maintained so long as private keys are secure. Authenticity is possible via public-key encryption by encrypting messages.
1 Network Security Lecture 5 Hashes and Message Digests Waleed Ejaz
Chapter 4 Message Authentication MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.
Cryptographic Hash Functions
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Lecture 9 Overview. RSA Invented by Cocks (GCHQ), independently, by Rivest, Shamir and Adleman (MIT) Two keys e and d used for Encryption and Decryption.
1 Message Authentication using Message Digests and the MD5 Algorithm Message authentication is important where undetected manipulation of messages can.
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Chapter 12 – Hash Algorithms
Cryptographic Hash Functions
Cryptographic Hash Function
Cryptographic Hash Functions
Cryptographic Hash Functions Part I
Cryptographic Hash Functions
Introduction to Symmetric-key and Public-key Cryptography
Lecture 4.1: Hash Functions: Introduction
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 13.
Lecture 4: Hash Functions
Presentation transcript:

Data Integrity / Data Authentication

Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification key – k’ Message space (usually binary strings) Every message between Alice and Bob is a pair (m, A k (m))

Definition (cont.) Requirement – V k’ (m,A k (m)) = “yes” In the symmetric case –k=k’ –The authentication algorithm is called MAC (Message Authentication Code) –A k (m) is frequently denoted MAC k (m) –Verification is by executing authentication and comparing with MAC k (m))

Definition (cont.) In the a-symmetric case –k  k’ –The authentication algorithm is called “Digital signature” –A k (m) is frequently denoted SIG k (m)

Model Alice Eve Bob

Properties of MAC Functions Security requirement – adversary can’t construct a legal pair (m, MAC k (m)) Output should be as short as possible The MAC function is not 1-to-1

Adversarial Model Security Model: –Known message –Chosen message Note: chosen MAC is less realistic Goal: given n legal pairs (m 1, MAC k (m 1 )), …, (m n, MAC k (m n )) find a new legal pair (m, MAC k (m))

One-Way Functions A function f: D  R is called one-way if: –Computing f(x) is “easy” –Computing f -1 (y) for almost all the images is “hard” Given the “real-world” definition of “hard” a one- way function may have a constant-sized output (e.g. SHA-1) Given the theoretical definition, we require a function with variable sized output or a family of one-way functions of constant sized output

Example The Domain is all the pairs of prime numbers. The function is f(p,q) = pq Multiplication is easy – naïve algorithm is O(n 2 ) Factoring is difficult – simple algorithm is O(2 n/2 ). NFS and ECM are better but not polynomial. The function f(p,q) = pq (almost) maintains length

Hash Functions Map large domains to smaller ranges Example h: N  {0,1,…,m-1} is defined by h(k) = k mod m Used extensively for searching in hash tables Collisions are resolved by several possible means – chaining, open hashing etc.

Collision Resistance A hash function h: D  R is called weakly collision resistant for x  D if it is hard to find x’  x such that h(x’)=h(x) A function h: D  R is called strongly collision resistant if it is hard to find x, x’ such that x’  x but h(x)=h(x’) Note: given certain constraints a strongly collision-resistant hash function is a one-way function

The Birthday Paradox If 23 people are chosen at random the probability that two of them have the same birth-day is greater than 0.5 Let h:D  R be a mapping. If 1.17|R| 1/2 elements of D are chosen at random, the probability that two of them are mapped to the same image is greater than 0.5 Leads to the birthday attack

Cryptographic Hash Functions Cryptographic hash functions are hash functions that are strongly collision resistant. Usually defined by: –Compression function mapping n bits (e.g. 672) to m bits (e.g 160). –Extension via chaining to arbitrary strings. –Padding

Merkle - Damgard HHH M1M1 M2M2 MkMk  IV h(M)

Merkle - Damgard (cont.) Unlike most encryption systems, the IV is usually constant Typically, there is padding (including text length before the final output) Claim: if the basic function H is collision resistant then so is its extension.

Lengths Input message length should be arbitrary Block length is usually 512 bits Output length should be at least 160 bits

Real-World Hash Functions MD family –MD-2 –MD-4 –MD-5 SHA and SHA-1 RIPE-MD SHA-256, 384 and 512

Hash Function Status Internet standards (IPSec, SSL, X.509, many others) use MD-5, SHA-1 almost exclusively Multi-block differential attacks: –First block get near collisions (small number of different bits) –Second block achieve full collision MD-5 fully broken, large number of collisions of Word, Postscript files and others. SHA-1 – collision attack requires 2 63 steps, no practical collisions found yet

HMAC Attempts First goal: combine message and key, hash and produce MAC Second goal: work with any cryptographic hash function First attempt: MAC k (m)=h(k,m) Second attempt: MAC k (m)=h(m,k)

HMAC Proposed in 1996 by [BCK] Receives as input a message m, a key k and a hash function h Outputs a MAC by: –HMAC k (m,h)= h(k  opad, h(k  ipad,m)) Claim [BCK]: HMAC can be broken if and only if the underlying hash function is broken.

HMAC in Practice SSL / TLS BPI IPSec: –AH –ESP SRTP