UNIT 2 Public-key Cryptography And Message Authentication

Slides:



Advertisements
Similar presentations
Sri Lanka Institute of Information Technology
Advertisements

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
Hash and MAC Algorithms
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Information Security and Management 11
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
PULIC –KEY CRYPTOGRAPHY AND MESSAGE AUTHENTICATION.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
HASH Functions.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Message Authentication and Hash Functions Chapter 11.
Chapter 21 Public-Key Cryptography and Message Authentication.
Hash and MAC Functions CS427 – Computer Security
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Hash and Mac Algorithms. Contents Hash Functions Secure Hash Algorithm HMAC.
Cryptographic Hash Functions and Protocol Analysis
Chapter 11 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Message Authentication and Hash Functions K. U. Khimani Asst. Prof. IT Dept. VVP Engineering College.
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
1 Public Key Cryptography. 2 Public Key Cryptography Agenda: Message authentication – authentication codes and hash functions Public key encryption –
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Message Authentication Code
Chapter 12 – Hash Algorithms
Cryptographic Hash Functions & Digital Signatures
CSCE 715: Network Systems Security
Network Security.
Cryptographic Hash Function
Message Authentication and Hash Functions
Message Authentication Code
Cryptography and Network Security Chapter 11
ICS 454 Principles of Cryptography
Cryptography and Network Security Chapter 11
Message Authentication Codes, Hashes and Message Digests
Message Authentication and Hash Functions
Chapter 11 – Message Authentication and Hash Functions
Hash and MAC Algorithms
Message Authentication and Hash Functions
NETW4005 COMPUTER SECURITY - A
ICS 454 Principles of Cryptography
Message Authentication
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Message Authentication Code
One-way Hash Function Network Security.
HMAC and its Design Objectives
Hash Function Requirements
CRYPTOGRAPHY & NETWORK SECURITY
The Secure Hash Function (SHA)
Message Authentication
Simple Hash Functions Network Security.
Presentation transcript:

UNIT 2 Public-key Cryptography And Message Authentication Prof.Ms.S.G.Pundkar PRMIT&R

Contents Approaches to Message Authentication Secure Hash Functions and HMAC Public-Key Cryptography Principles Public-Key Cryptography Algorithms Digital Signatures Key Management

2.1 Approaches to Message Authentication Q1. List different approaches for message authentication. ? or Q2. What is message authentication ? Explain message authentication MAC ? Encryption provides protection against passive attacks In passive attack the goal of the opponent is to obtain information that is being transmitted. Active attacks require some other treatments. Protection against such attacks is known as message authentication. Message, file, document or other collection of data are said to be authentic only when they are genuine and received from legal source. Message authentication : It is a procedure that allows communication parties to verify that the contents of the message have not been altered and the source is authentic.

Message authenticity also deals with message’s timeliness (artificially delayed or replayed). Characteristics: source is authentic – masquerading contents unaltered – message modification timely sequencing – replay

Authentication using Conventional Encryption : Assume only sender and receiver share a key Then a correctly encrypted message should be from the sender. Usually also contains error-detection code, sequence number and time stamp. Receiver assures no alteration have been made. Proper sequencing. Implementation of timestamp assures message is not delayed beyond deadline.

Message Authentication Without Message Encryption : Authentication tag is generated and appended to each message for transmission. Message is not encrypted and can be read at the destination. Without encryption function. As no encryption is used message confidentiality is not provided. Conventional encryption provides authentication and is widely used. Required approach for both confidentiality and authentication.

There are approaches where message authentication without confidentiality is preferable : Various applications where same message is broadcast to many destinations Scenario where exchange takes place in which one side is heavy load and cannot decrypt all messages – authentication carried out on a selective basis, message being chosen at random. No danger in sending plaintext. Computer program can be executed without performing decryption every time. If a message authentication tag were attached, get checked when assurance is required. Append authentication tag to each message

Message Authentication Code (MAC): One of the authentication technique uses secret key For generating small block of data called message authentication code. This is appended to the message. Working : This technique assumes two communication parties, say A and B, share a common secret key KAB. When A has message for B, it calculates the message authentication code (MAC) as a function of key.

MACM = F ( KAB , M ) Message + Code is transmitted to the intended recipient. Recipient performs the same calculation at receiving end. On received message , using same secret key, for generating a new message authentication code (MAC). Received code is compared to calculated code as shown in fig. If we assume , only receiver and sender knows secret key and received code matches calculated code, then : Receiver is assured that the message has not been altered. Here the attacker is assumed of not knowing the secret key, So the attacker cannot alter the code.

Fig :: Message Authentication using a Message Authentication code

Approaches to Message Authentication Receiver is assured that the message is from alleged sender as no one knows secret key. If message includes a sequence number( as in TCP, HDLC, X.25) then receiver can assure proper sequencing. Number of algorithm could be used for generating the code. Alleged : without proof FIPS : Federal information processing standards

Authentication process are similar to encryption. The main difference is authentication algorithm need not to be reversible, as we seen for decryption. Due to authentication’s mathematical properties it is less vulnerable to being broken than encryption.

One Way Hash Function Q2. With the neat diagram explain how the 1 way hash function are used for message authentication ? A hash function takes a variable sized input message and produces a fixed-sized output. The output is usually referred to as the hash code or the hash value or the message digest. For example, the SHA-512 hash function takes for input messages of length up to 2128 bits and produces as output a 512-bit message digest (MD). SHA stands for Secure Hash Algorithm.

One-Way Hash Function : Alternative to Message Authentication Code Accepts a variable size message M as input and produces a fixed-size message digest H (M) as output. Hash function does not take a secret key as input. For authenticating a message, the message digest is sent with the message in a way that the message digest is authentic. There are 3 ways in which message can be authenticated. The message digest can be encrypted using conventional encryption Using public key. Using secret value.

Source A Destination B

Message digest can be encrypted using conventional encryption as shown. if the sender and receiver share the encryption key , authenticity is assured. Message can also be encrypted using public-key encryption as shown. This technique has two advantages : it provide digital signature as well as message authentication, and it does not require the distribution of keys to communications parties. These two approaches requires less computations.

Several reasons in developing a technique that avoids encryption. Encryption S/W is quite slow, Even the data to be encrypted is small. Encryption H/W costs are non negligible. Some low-cost chip implementations are available of DES, but the cost rises by implementing it to nodes in network. Encryption H/W is optimized towards large data sizes. For small blocks of data, high proportion of time is spent in initialization/invocation overhead.

Technique that uses a hash function but no encryption for message authentication.

MDM = H(SAB||M) || Concatenation and sends [M||MDM] to B. Fig shows a technique, which uses a hash function but no encryption for message authentication. It assumes the two communications parties, A and B share a common secret value SAB . When A has a message to send to B, it calculate the hash function over the concatenation of the secret value and message. MDM = H(SAB||M) || Concatenation and sends [M||MDM] to B. As B possesses SAB it can recompute H(SAB||M) and verify MDM. MD =message digest

As secret value is not sent, it is not possible for attacker to modify an interpreted message. As long as secret value remain secret, it is not possible for attacker to generate false message.

Secure Hash Function and HMAC Q. What are the secure hash functions requirements ? Secure Hash Functions, is important not only for message authentication but also for digital signature. The main purpose of hash function is to produce a “fingerprint” of a file, message or other block of data. A Hash function H must have the following properties : H can be applied to a block of data of any size. H produces a fixed-length output. H(x) is relatively easy to compute for x, making S/W, H/W both implementation practical.

For any given value of h, it is computationally infeasible to find x such that H(x)= h. referred to as One-Way property. For any given block x, it is computationally infeasible to find y ≠ x with H(y)=H(x). Knows as Weak collision resistance. It is computationally infeasible to find any pair(x,y) such that H(x) =H(y). Sometime referred as Strong collision resistance. Infeasible : not possible

First 3 are required for practical application of hash function to message authentication. Fourth is “one-way” property: it is easy to generate a code given a message , but virtually impossible to generate a message given a code. This property is important if the authentication involves the use of secret key. Fifth property guarantees that it is impossible to find an alternative message with same hash value as a given message. Hash function that satisfies first 5 properties are referred to as Weak Hash function.

If 6th property is also satisfied then it is an Strong Hash function. 6th property protects against authentication, it also provides data integrity. Performs same function as a frame check sequence. i.e. if any bits in message are accidently altered in transit , message digest will be in error.

Simple Hash Function : Practically all algorithms view the message as a sequence of n-bit blocks for generating hash code. I/P is processes one block at a time in an iterative fashion for producing an n-bit hash function. One of the simplest hash function is the bit-by-bit Exclusive-OR (XOR) of every block. Given as Ci = bi1 bi2 …. bim Where Ci = ith bit of the hash code, 1<=i <=n. m= number of n-bit blocks in the I/P. bij = ith bit in jth block

Fig illustrates the operation . Fig : Simple hash function using bitwise XOR Fig illustrates the operation . It produces a simple parity for each bit position and Is known as longitudinal redundancy check. It is effective for random data as a data integrity check. Each n-bit hash value is equally likely. Thus, Probability that data error will result in an unchanged hash value is 2-n

Secure Hash Function and HMAC A simple way of improvement is to perform a one-bit circular shift, or rotation, on hash value after each block is processed. The procedure is summarized below : Initially set the n-bit hash value to zero. Process each successive n-bit block of data as Rotate the current hash value to left by one bit XOR the block into hash value This has the effect of “randomizing ” the I/P more completely. Also overcome regularities that appear in I/P.

SHA-1(Secure Hash Algorithm 1) Secure Hash Function Q. List the main features of SHA-512 cryptographic hash function and what kind of compression function is used in SHA-512 ? SHA was developed by National Institute of Standard and technology (NIST). Published as a federal information processing standard (FIPS 180) SHA-1 produces a hash value of 160 bits. Later NIST produces new version of SHA, with hash values length of 256, 384, and 512bits known as SHA-256, SHA-384, and SHA-512. New versions are used for modular arithmetic and logical binary operations.

SHA-1 Secure Hash Function Notes :: All sizes are measured in bits . Security refers to fact that birthday attack on MD of size n produces a collision with work factor of approx 2 to power n/2.

SHA-1 Secure Hash Function

SHA-1 Secure Hash Function The processing consist of various step:: Step1 : Append padding bits : The message is padded so that its length must be multiple of 1024. Every message is padded even if its length is already a multiple of 512/1024. Therefore number of padding bits is in the range of 1 to 1024. Padding consists of a single 1-bit followed by necessary number of 0-bits.

SHA-1 Secure Hash Function Step 2 : Append length : A block of 128 bits is appended to the message. Block is treated as an unsigned 128-bit integer and contains the length of the original message (before padding). Outcome of these two steps leads to a message that is an integer multiple of 1024 bits in length. As shown in fig. the expanded message is represented as a sequence of 1024-bit blocks M1, M2, ……, MN. Therefore the total length of the expanded message is N*1024 bits.

SHA-1 Secure Hash Function Initialize hash buffer: 512 bit buffer is used for holding intermediate and final results of hash function. Buffer can represented as eight 64-bit registers (a,b,c,d,e,f,g,h) Register are initialize to hex values. Process message in 1024 bit (32-word) blocks : heart of algorithm is a module consist of 80 rounds as shown in fig by displaying as “F”. Each round takes an I/P the 512 bit buffer value abcdefgh and updates the contents of buffer. First round I/P is intermediate hash value Hi-1 . each round t makes use of a 64-bit value Wt. It is derived from Current 128-bit block which is being processed Mi. Each round also make use of additive constant Kt where 0<=t <=79. a=6A09E667f3BcCC908 e=Ac4b29459965bc88 b=2234b45890cc2098d f=9B06BC2390BBFA29 c=008bbca2fc29909090 g=6676bc7aaa890780 d=09090909bcbcbcbc H=09bbc764aae3c29

SHA-1 Secure Hash Function

SHA-1 Secure Hash Function It constitute one of the 80 rounds. O/P of the 80th round is added to the I/P to the first round (Hi-1) for producing Hi. 5. Step 5: Output : After all N 1024 bit blocks have been processed, the O/P from the Nth stage is the 512 bit message digest. SHA algo has property that every bit of hash code is a function of every bit of I/P. Complex repetition of function F produces results that are well mixed.

SHA-1 Secure Hash Function Other Secure Hash Function : As seen DES is based on Feistel cipher. Likewise all important block ciphers follows either Feistel design or a generalization of this design which involves multiple rounds of substitution and permutation function. In the same way “Hash ” function follows the basic structure referred as iterated hash function. These structure are used to produce hash function to operate on message of any length.

SHA-1 Secure Hash Function MD5 :: Message Digest Algorithm MD5 was developed by Ron Rivest when both brute-force and cryptanalytic concern have arisen. It is most widely used secure hash algorithm. Takes I/P a message of arbitrary length and produces a O/P a 128 bit message digest. I/P is processed in 512-bit blocks. As processor speed increased, the security of 128-bit hash code has become questionable. Difficulty of coming up with the two messages having the same MD is on order of 264 operations.

MD5

SHA-1 Secure Hash Function The difficulty of finding a message with a given digest is on the order 2128 operations. Provided figure is too small for security. A number of cryptanalytic attacks have been developed that suggest the vulnerability of MD5 to cryptanalysis.

SHA-1 Secure Hash Function

Attacks on Hash Functions There are two categories of attacks on hash functions: brute-force attacks and cryptanalysis. A brute-force attack depends only on bit length. brute-force attack depends only on the bit length of the hash value. A cryptanalysis, is an attack based on weaknesses in a particular cryptographic algorithm. For a preimage or second preimage attack, an adversary wishes to find a value y such that H(y) is equal to a given hash value h. For a collision resistant attack, an adversary wishes to find two messages or data blocks, x and y, that yield the same hash function: H(x) = H(y). This requires much less effort than a preimage or second preimage attack.

3.3. Message Authentication Codes Why HMAC Cryptographic hash function generally execute faster in S/W then conventional encryption algorithm (DES). Library code for cryptographic hash function is widely available. This has motivated for developing a MAC derived from a cryptographic hash code. SHA-1 like Hash function does not rely on secret key and hence not designed to use as a MAC. HMAC incorporates the use of secret key in HASH function.

HMAC HMAC Design Objectives :: Use hash function without modification. (Hash function whose performance is well and whose code is easily/freely available are widely used. Provide easy replacement when faster or more secure hash function are found or required. To Preserve original performance of hash without incurring a greater degradation. To use and handle keys in a simple way. To have a well-understood cryptographic analysis of strength of authentication mechanism.

HMAC First two function are mandatory for acceptance of HMAC. HMAC treats Hash function as a “Black Box”. It has two advantages 1. Existing implementation can be used as a module in implementing HMAC. 2. Modification is quite easy. Security of HMAC could be retained easily by replacing the hash function with a more secure one whenever it is compromised. HMAC is more secure provided the hash function has some reasonable cryptographic strength.

HMAC

HMAC HMAC algorithm : Fig shows the overall operation of HMAC. It consist of H = Embedded Hash function M= I/P message to HMAC (including padding ) Yi = ith block of M, 0<=I <= (L-1) L = Number of blocks in M. b= Number of bits in a block n= Length of Hash code produced by embedded hash function.

HMAC K= Secret key; if length is greater than b, key is I/P to hash function to produce an n-bit key; K+ = K padded with zeros on the left so that the result is b bits in length. ipad = 00110110 (36 in hex)is specified padding constant opad = 01011100 (5C in hex) is specified padding constant The HMAC is expressed as HMACK(M)= Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)] ]

HMAC Given as Append zeros to left end o f K to create b bit string K( e.g. If K is of length 160 bits and 512, then K will be appended to produce the b bit block Si.. XOR K+ with ipad to produce the b-bit block Si. Append M to Si.. Append H to the stream generated in Step 3 XOR K+ with opad to produce the b-bit block So. Append the hash result from step 4 to So Apply H to the stream generated in step 6 and O/P the result.