11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

Slides:



Advertisements
Similar presentations
Lecture 5: Cryptographic Hashes
Advertisements

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part I.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Cryptography, Authentication and Digital Signatures
IS 302: Information Security and Trust Week 5: Integrity 2012.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.
Chapter 31 Cryptography And Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
12.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 12 Cryptographic Hash Functions.
Hash and Mac Algorithms. Contents Hash Functions Secure Hash Algorithm HMAC.
Chapter 4 Message Authentication MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Chapter 2 Advanced Cryptography (Part C)
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Cryptographic Hash Functions and Protocol Analysis
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Chapter 11 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Information Integrity and Message Digests CSCI 5857: Encoding and Encryption.
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Message Authentication Codes CSCI 5857: Encoding and Encryption.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Message Integrity and Message Authentication
Computer Communication & Networks
Cryptographic Hash Functions
Cryptographic Hash Function
CSCE 715: Network Systems Security
Cryptographic Hash Functions
NET 311 Information Security
Cryptography: Basics (2)
Chapter 29 Cryptography and Network Security
Presentation transcript:

11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication

11.2 Objectives ❏ To define message integrity ❏ To define message authentication ❏ To define criteria for a cryptographic hash function ❏ To define the Random Oracle Model and its role in evaluating the security of cryptographic hash functions ❏ To distinguish between an MDC and a MAC ❏ To discuss some common MACs

11.3 The cryptography systems that we have studied so far provide secrecy, or confidentiality, but not integrity. However, there are occasions where we may not even need secrecy but instead must have integrity MESSAGE INTEGRITY

11.4 One way to preserve the integrity of a document is through the use of a fingerprint. If Alice needs to be sure that the contents of her document will not be changed, she can put her fingerprint at the bottom of the document. Eve cannot modify the contents of this document or create a false document because she cannot forge Alice’s fingerprint. Fingerprint on the document can be compared to Alice’s fingerprint on file Document and Fingerprint

11.5 The electronic equivalent of the document and fingerprint pair is the message and digest pair. To preserve the integrity of a message, the message is passed through an algorithm called a cryptographic hash function which creates a compressed image of the message Message and Message Digest Figure 11.1 Message and digest

11.6 The two pairs ( document / fingerprint ) and ( message /message digest ) are similar, with some differences. The document and fingerprint are physically linked together. The message and message digest can be unlinked separately, and, most importantly, the message digest needs to be safe from change. Note that the message digest needs to be safe from change Difference

Checking Integrity Figure 11.2 Checking integrity

11.8 A cryptographic hash function must satisfy three criteria: preimage resistance, second preimage resistance, collision resistance Cryptographic Hash Function Criteria Figure 11.3 Criteria of a cryptographic hash function

11.9 Preimage Resistance Figure 11.4 Preimage Cryptographic Hash Function Criteria

11.10 Can we use a conventional lossless compression method such as StuffIt as a cryptographic hash function? Example 11.1 Solution We cannot. A lossless compression method creates a compressed message that is reversible. Can we use a checksum function as a cryptographic hash function? Example 11.2 Solution We cannot. A checksum function is not preimage resistant, Eve may find several messages whose checksum matches the given one Cryptographic Hash Function Criteria

11.11 Second Preimage Resistance Figure 11.5 Second preimage Cryptographic Hash Function Criteria

11.12 Collision Resistance Figure 11.6 Collision Cryptographic Hash Function Criteria

RANDOM ORACLE MODEL The Random Oracle Model, which was introduced in 1993 by Bellare and Rogaway, is an ideal mathematical model for a hash function.

RANDOM ORACLE MODEL A hash function based on the Random Oracle Model, behaves as follows: 1.When a new message of any length is given, the oracle creates and gives a fixed-length message digest that is a random string of 0 s and 1 s. The oracle records the message and the message digest. 2. When a message is given for which a digest exists, the oracle simply gives the digest in the record. 3. The digest for a new message needs to be chosen independently from all previous digests. This implies that oracle cannot use a formula or an algorithm to calculate the digest.

11.15 Assume an oracle with a table and a fair coin. The table has two columns. Also assume that the digest is always 16 bits. Example 11.3 a.The message AB1234CD8765BDAD is given for digest calculation. The oracle checks its table. This message id not in the table, so the oracle flips its coin 16 times RANDOM ORACLE MODEL

11.16 Example 11.3(Continued) b.The message 4523AB1352CDEF45126 is given for digest calculation. The oracle checks its table and finds that there is a digest for this message in the table (first row). The oracle simply gives the corresponding digest (13AB) RANDOM ORACLE MODEL

11.17 The oracle in Example 11.3 cannot use a formula or algorithm to create the digest for a message. For example, imagine the oracle uses the formula h(M) = M mod n. Now suppose that the oracle has already given h(M 1 ) and h(M 2 ). If a new message is presented as M 3 = M 1 + M 2, the oracle does not have to calculate the h(M 3 ). The new digest is just [ h(M 1 ) + h(M 2 )] mod n since Example 11.4 This violates the third requirement that each digest must be randomly chosen based on the message given to the oracle RANDOM ORACLE MODEL

11.18 If n pigeonholes are occupied by n + 1 pigeons, then at least one pigeonhole is occupied by two pigeons. The generalized version of the pigeonhole principle is that if n pigeonholes are occupied by kn + 1 pigeons, then at least one pigeonhole is occupied by k+1 pigeons Pigeonhole Principle

11.19 Assume that the messages in a hash function are 6 bits long and the digests are only 4 bits long. Then the possible number of digests (pigeonholes) is 2 4 = 16, and the possible number of messages (pigeons) is 2 6 = 64. This means n = 16 and kn + 1 = 64, so k is larger than 3. The conclusion is that at least one digest corresponds to ( k + 1 ) messages. Example Pigeonhole Principle

Birthday Problems Figure 11.7 Four birthday problems

11.21 The birthday problems are described in terms that can be applied to security of hash functions. The terms likely in all cases means with the probability P ≥ 1/2. ❏ Problem 1 : What is the minimum number, k, of students in a classroom such that it is likely that at least one student has predefined birthday? We have a uniformly distributed random variable with N possible values (between 0 and N-1 ). What is the minimum number of instances, k, such that it is likely that at least one instance is equal to a predefined one? Description of Problems Birthday Problems

11.22 ❏ Problem 2 : What is the minimum number, k, of students in a classroom such that it is likely that at least one student has the same birthday as the student selected by the professor ? We have a uniformly distributed random variable with N possible values (between 0 and N-1 ). What is the minimum number of instances, k, such that it is likely that at least one instance is equal to selected one? Description of Problems Birthday Problems (Continued)

11.23 ❏ Problem 3 : What is the minimum number, k, of students in a classroom such that it is likely that at least two students has the same birthday? We have a uniformly distributed random variable with N possible values (between 0 and N-1 ). What is the minimum number of instances, k, such that it is likely that at least two instances are equal? Description of Problems Birthday Problems (Continued)

11.24 ❏ Problem 4 : We have two classes, each with k students. What is the minimum value of k so that it is likely that at least one student from the first classroom has the same birthday as the student from the second classroom? We have a uniformly distributed random variable with N possible values (between 0 and N-1 ). We generate two sets of random values each with k instances. What is the minimum number of, k, such that it is likely from the first set is equal to one instance in the second set? Description of Problems Birthday Problems (Continued)

11.25 Solutions to these problems are given in Appendix E for interested readers; The results are summarized in Table Birthday Problems Summary of Solutions

11.26 Problem 1 and 2 are related to preimage and second preimage attacks; Problem 3 and 4 are related to the collision attack. The comparison shows it is much more difficult to launch a preimage or second preimage attack than to launch a collision attack Birthday Problems Comparison

11.27 Comparison Figure 11.8 Graph of four birthday problem Birthday Problems (Continued)

Attacks on Random Oracle Model Preimage Attack P ≈ 1-e -k/N ≥ 1/2. k ≈ 0.69 × N ≈ 0.69 × 2 n. The difficulty of a preimage attack is proportional to 2 n. (Continued)

11.29 A cryptographic hash function uses a digest of 64 bits. How many digests does Eve need to create to find the original message with the probability more than 0.5? Example 11.6 Solution The number of digests to be created is k ≈ 0.69 × 2 n ≈ 0.69 × This is a large number. Even if Eve can create 2 30 (almost one billion) messages per second, it takes 0.69 × 2 34 seconds or more than 500 years. This means that a message digest of size 64 bits is secure with respect to preimage attack, but, as we will see shortly, is not secured to collision attack Attacks on Random Oracle Model

11.30 Second Preimage Attack Attacks on Random Oracle Model The difficulty of a second preimage attack is proportional to 2 n.

11.31 Collision Attack Attacks on Random Oracle Model The difficulty of a collision attack is proportional to 2 n/2.

11.32 A cryptographic hash function uses a digest of 64 bits. How many digests does Eve need to create to find two messages with the same digest with the probability more than 0.5 ? Example 11.7 Solution The number of digests to be created is k ≈ 1.18 × 2 n/2 ≈ 1.18 × 232. If Eve can test 2 20 (almost one million) messages per second, it takes 1.18 × 2 12 seconds, or less than two hours. This means that a message digest of size 64 bits is not secure against the collision attack Attacks on Random Oracle Model

11.33 Alternate Collision Attack Attacks on Random Oracle Model The difficulty of an alternative collision attack is proportional to 2 n/2.

11.34 Table 11.4 shows the level of difficulty for each attack if the digest is n bits Attacks on Random Oracle Model Summary of Attacks

11.35 Originally hash functions with a 64 -bit digest were believed to be immune to collision attacks. But with the increase in the processing speed, today everyone agrees that these hash functions are no longer secure. Eve needs only 2 64/2 = 2 32 tests to launch an attack with probability 1/2 or more. Assume she can perform 2 20 (one million) tests per second. She can launch an attack in 2 32 /2 20 = 2 12 seconds (almost an hour). Example Attacks on Random Oracle Model

11.36 MD5 (see Chapter 12), which was one of the standard hash functions for a long time, creates digests of 128 bits. To launch a collision attack, the adversary needs to test 2 64 ( /2 ) tests in the collision algorithm. Even if the adversary can perform 2 30 (more than one billion) tests in a second, it takes 2 34 seconds (more than 500 years) to launch an attack. This type of attack is based on the Random Oracle Model. It has been proved that MD5 can be attacked on less than 2 64 tests because of the structure of the algorithm. Example Attacks on Random Oracle Model

11.37 SHA-1 (see Chapter 12), a standard hash function developed by NIST, creates digests of 160 bits. To launch a collision attack, the adversary needs to test 2 160/2 = 2 80 tests in the collision algorithm. Even if the adversary can perform 2 30 (more than one billion) tests in a second, it takes 2 50 seconds (more than ten thousand years) to launch an attack. However, researchers have discovered some features of the function that allow it to be attacked in less time than calculated above. Example Attacks on Random Oracle Model

11.38 The new hash function, that is likely to become NIST standard, is SHA-512 (see Chapter 12), which has a 512 -bit digest. This function is definitely resistant to collision attacks based on the Random Oracle Model. It needs 2 512/2 = tests to find a collision with the probability of 1/2. Example Attacks on Random Oracle Model

11.39 The analysis about the attacks based on an ideal cryptographic hash function provides systematic evaluation of the algorithms. But practical hash functions can have some internal structures that make them much weaker. It is not possible to make a hash function that creates digests that are completely random. The adversary may have other tools to attack hash function. One of these tools, for example, is the meet-in-the-middle attack that we discussed in Chapter 6 for double DES Attacks on the Structure

MESSAGE AUTHENTICATION A message digest does not authenticate the sender of the message. To provide message authentication, Alice needs to provide proof that it is Alice sending the message and not an impostor. The digest created by a cryptographic hash function is normally called a modification detection code (MDC). What we need for message authentication is a message authentication code (MAC).

11.41 A modification detection code (MDC) is a message digest that can prove the integrity of the message: that message has not been changed. If Alice needs to send a message to Bob and be sure that the message will not change during transmission, Alice can create a message digest, MDC, and send both the message and the MDC to Bob. Bob can create a new MDC from the message and compare the received MDC and the new MDC. If they are the same, the message has not been changed Modification Detection Code (MDC)

11.42 Figure 11.9 Modification detection code (MDC) Modification Detection Code (MDC)

Message Authentication Code (MAC) Figure Message authentication code Need to ensure the integrity of the message and the data origin authentication. The difference between a MDC and a MAC is that MAC includes a secret between Alice and Bob. MAC = h(K | M)

Message Authentication Code (MAC) Prefix MAC (the key appended to the beginning of the message) Postfix MAC (the key appended to the end of the message) We can combine the prefix and postfix MAC, with the same key or two different keys.

Message Authentication Code (MAC) Note that the security of a MAC depends on the security of the underlying hash algorithm. Security of a MAC Three possible cases of Eve forging a message: 1.Exhaustive search of key. 2.The preimage attack: Eve can find the key from the intercepted MAC (= h(K | M) ). (* Thus Eve can successfully replace the message with a forged one. *) 3. Given some pairs of messages and their MACs, Eve can manipulate them to come up with a new message and its MAC.

11.46 Nested MAC Figure Nested MAC Message Authentication Code (MAC) To improve the security of a MAC.

11.47 HMAC Message Authentication Code (MAC) NIST has issued a standard (FIPS198) for a nested MAC that is referred to as HMAC (hashed MAC). 1.The message is divided into N blocks, each of b bits. 2.The secret key is left-padded with 0 ’s to create a b -bit key. Note that it is recommended that secret key (before padding) be longer than n bits, where n is the size of the HMAC. 3.The result of step 2 is XORed with a constant called ipad (input pad) to create a b -bit block. The value of ipad is the b/8 repetition of the sequence (( 36 ) 16 ). 4.The resulting block is prepended to N -block message. 5.The result of step 4 is hashed to create an n -bit digest. We call the digest the intermediate HMAC.

11.48 HMAC (Continued) Message Authentication Code (MAC) 6. The intermediate n -bit HMAC is left padded with 0 s to make a b -bit block. 7. Step 2 and 3 are repeated by a different constant opad (output pad). The value of opad is the b/8 repetition of the sequence (( 5C ) 16 ). 8. The result of step 7 is prepended to the block of step The result of step 8 is hashed with the same hashing algorithm to create the final n -bit HMAC.

11.49 Figure Details of HMAC Message Authentication Code (MAC) HMAC (Continued) ( 5C5C5C5C5C5C5C5C ) 16 ( ) 16

11.50 CMAC Message Authentication Code (MAC) NIST has also defined a standard (FIPS113) called Data Authentication Algorithm, or CMAC, or CBCMAC. The method is similar to CBC mode. However, the idea is to create one block of MAC from N blocks of plaintext, not to create N blocks of ciphertext from N blocks of plaintext. The message is divided into N blocks, each m bits long. The size of CMAC is n bits. If the last block is not m bits, it is padded with a 1 -bit followed by enough 0 -bits to make it m bits.

Message Authentication Code (MAC) The n leftmost bit from the last block is the CMAC. In addition to the symmetric key, K, CMAC also uses another key, k, which applied only at the last step. The result from the Encryption algorithm is multiplied by x if no padding is applied and is multiplied by x 2 if padding is applied. The multiplications is in GF ( 2 m ) with irreducible polynomial of degree m selected by the particular protocol used. CMAC (Continued)

11.52 Figure CMAC Message Authentication Code (MAC) CMAC (Continued)