Data Integrity / Data Authentication
Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification key – k’ Message space (usually binary strings) Every message between Alice and Bob is a pair (m, A k (m))
Definition (cont.) Requirement – V k’ (m,A k (m)) = “yes” In the symmetric case –k=k’ –The authentication algorithm is called MAC (Message Authentication Code) –A k (m) is frequently denoted MAC k (m) –Verification is by executing authentication and comparing with MAC k (m))
Definition (cont.) In the a-symmetric case –k k’ –The authentication algorithm is called “Digital signature” –A k (m) is frequently denoted SIG k (m)
Model Alice Eve Bob
Properties of MAC Functions Security requirement – adversary can’t construct a legal pair (m, MAC k (m)) Output should be as short as possible The MAC function is not 1-to-1
Adversarial Model Security Model: –Known message –Chosen message Note: chosen MAC is less realistic Goal: given n legal pairs (m 1, MAC k (m 1 )), …, (m n, MAC k (m n )) find a new legal pair (m, MAC k (m))
One-Way Functions A function f: D R is called one-way if: –Computing f(x) is “easy” –Computing f -1 (y) for almost all the images is “hard” Given the “real-world” definition of “hard” a one- way function may have a constant-sized output (e.g. SHA-1) Given the theoretical definition, we require a function with variable sized output or a family of one-way functions of constant sized output
Example The Domain is all the pairs of prime numbers. The function is f(p,q) = pq Multiplication is easy – naïve algorithm is O(n 2 ) Factoring is difficult – simple algorithm is O(2 n/2 ). NFS and ECM are better but not polynomial. The function f(p,q) = pq (almost) maintains length
Hash Functions Map large domains to smaller ranges Example h: N {0,1,…,m-1} is defined by h(k) = k mod m Used extensively for searching in hash tables Collisions are resolved by several possible means – chaining, open hashing etc.
Collision Resistance A hash function h: D R is called weakly collision resistant for x D if it is hard to find x’ x such that h(x’)=h(x) A function h: D R is called strongly collision resistant if it is hard to find x, x’ such that x’ x but h(x)=h(x’) Note: given certain constraints a strongly collision-resistant hash function is a one-way function
The Birthday Paradox If 23 people are chosen at random the probability that two of them have the same birth-day is greater than 0.5 Let h:D R be a mapping. If 1.17|R| 1/2 elements of D are chosen at random, the probability that two of them are mapped to the same image is greater than 0.5 Leads to the birthday attack
Cryptographic Hash Functions Cryptographic hash functions are hash functions that are strongly collision resistant. Usually defined by: –Compression function mapping n bits (e.g. 672) to m bits (e.g 160). –Extension via chaining to arbitrary strings. –Padding
Merkle - Damgard HHH M1M1 M2M2 MkMk IV h(M)
Merkle - Damgard (cont.) Unlike most encryption systems, the IV is usually constant Typically, there is padding (including text length before the final output) Claim: if the basic function H is collision resistant then so is its extension.
Lengths Input message length should be arbitrary Block length is usually 512 bits Output length should be at least 160 bits
Real-World Hash Functions MD family –MD-2 –MD-4 –MD-5 SHA and SHA-1 RIPE-MD SHA-256, 384 and 512
Hash Function Status Internet standards (IPSec, SSL, X.509, many others) use MD-5, SHA-1 almost exclusively Multi-block differential attacks: –First block get near collisions (small number of different bits) –Second block achieve full collision MD-5 fully broken, large number of collisions of Word, Postscript files and others. SHA-1 – collision attack requires 2 63 steps, no practical collisions found yet
HMAC Attempts First goal: combine message and key, hash and produce MAC Second goal: work with any cryptographic hash function First attempt: MAC k (m)=h(k,m) Second attempt: MAC k (m)=h(m,k)
HMAC Proposed in 1996 by [BCK] Receives as input a message m, a key k and a hash function h Outputs a MAC by: –HMAC k (m,h)= h(k opad, h(k ipad,m)) Claim [BCK]: HMAC can be broken if and only if the underlying hash function is broken.
HMAC in Practice SSL / TLS BPI IPSec: –AH –ESP SRTP