Presentation is loading. Please wait.

Presentation is loading. Please wait.

Message Authentication and Hash Functions

Published byCleopatra Douglas Modified over 6 years ago

Similar presentations

Presentation on theme: "Message Authentication and Hash Functions"— Presentation transcript:

1 Message Authentication and Hash Functions
NUIST School of Computer and Software Jian Shen, PhD, Professor

2 Outline 1. Authentication Requirements 2. Authentication Functions
3. Message Authentication Codes 4. Hash Functions 5. Security of Hash Functions and MACs

3 Authentication Requirements (1/3)
Attacks: 1. Disclosure: Release of message contents to any person or process not possessing the appropriate cryptographic key. 2. Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-oriented application, the frequency and duration of connections could be determined. In either a connection-oriented or connectionless environment, the number and length of messages between parties could be determined. 3. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation of messages by an opponent that are purported to come from an authorized entity. Also included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the message recipient. 4. Content modification: Changes to the contents of a message, including insertion, deletion, transposition, and modification. 5. Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and reordering.

4 Authentication Requirements (2/3)
6. Timing modification: Delay or replay of messages. In a connection-oriented application, an entire session or sequence of messages could be a replay of some previous valid session, or individual messages in the sequence could be delayed or replayed. In a connectionless application, an individual message (e.g., datagram) could be delayed or replayed. 7. Source repudiation: Denial of transmission of message by source. 8. Destination repudiation: Denial of receipt of message by destination. Measures to deal with the first two attacks are message confidentiality. Measures to deal with items 3 through 6 are regarded as message authentication. Mechanisms for dealing specifically with item 7 come under the heading of digital signatures. Generally, a digital signature technique will also counter some or all of the attacks listed under items 3 through 6. Dealing with item 8 may require a combination of the use of digital signatures and a protocol designed to counter this attack.

5 Authentication Requirements (3/3)
Message authentication is a procedure to verify that received messages come from the alleged source and have not been altered. Message authentication may also verify sequencing and timeliness. A digital signature is an authentication technique that also includes measures to counter repudiation by the source.

6 Authentication Functions (1/14)
Two levels of functionality: At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message. This lower-level function is then used as a primitive in a higher-level authentication protocol that enables a receiver to verify the authenticity of a message. This section is concerned with the types of functions that may be used to produce an authenticator. These may be grouped into three classes, as follows: Message encryption: The ciphertext of the entire message serves as its authenticator Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator Hash function: A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator

7 Authentication Functions (2/14)
Message Encryption Message encryption by itself can provide a measure of authentication. Symmetric Encryption A message M transmitted from source A to destination B is encrypted using a secret key K shared by A and B. If no other party knows the key, then confidentiality is provided. We may say that B is assured that the message was generated by A. The message must have come from A because A is the only other party that possesses K and therefore the only other party with the information necessary to construct ciphertext that can be decrypted with K. Furthermore, if M is recovered, B knows that none of the bits of M have been altered, because an opponent that does not know K would not know how to alter bits in the ciphertext to produce desired changes in the plaintext. Symmetric encryption provides authentication as well as confidentiality. Consider exactly what is happening at B. Given a decryption function D and a secret key K, the destination will accept any input X and produce output Y = D(K, X). If X is the ciphertext of a legitimate message M produced by the corresponding encryption function, then Y is some plaintext message M Otherwise, Y will likely be a meaningless sequence of bits. There may need to be some automated means of determining at B whether Y is legitimate plaintext and therefore must have come from A.

8 Authentication Functions (3/14)
If M can be any bit pattern, then regardless of the value of X, the value Y = D(K, X) is some bit pattern and therefore must be accepted as authentic plaintext. Suppose that only one bit pattern in 106 is legitimate plaintext. Then the probability that any randomly chosen bit pattern, treated as ciphertext, will produce a legitimate plaintext message is only 10-6. Suppose that we are transmitting English-language messages using a Caesar cipher with a shift of one (K = 1). A sends the following legitimate ciphertext: nbsftfbupbutboeepftfbupbutboemjuumfmbnctfbujwz B decrypts to produce the following plaintext: Mareseatoatsanddoeseatoatsandlittlelambseativy A simple frequency analysis confirms that this message has the profile of ordinary English. On the other hand, if an opponent generates the following random sequence of letters: Zuvrsoevgqxlzwigamdvnmhpmccxiuureosfbcebtqxsxq this decrypts to: Ytuqrndufpwkyvhfzlcumlgolbbwhttqdnreabdaspwrwp

9 Authentication Functions (4/14)
Append an error-detecting code, also known as a frame check sequence (FCS), to each message before encryption, as illustrated in Figure 11.2a.

10 Authentication Functions (5/14)
Note that the order in which the FCS and encryption functions are performed is critical. The sequence illustrated in Figure 11.2a is referred to as internal error control, which the authors contrast with external error control (Figure 11.2b).

11 Authentication Functions (6/14)
As an example, consider the structure of messages transmitted using the TCP/IP protocol architecture. Figure 11.3 shows the format of a TCP segment, illustrating the TCP header. Now suppose that each pair of hosts shared a unique secret key, so that all exchanges between a pair of hosts used the same key, regardless of application.

12 Authentication Functions (7/14)
Public-Key Encryption The straightforward use of public-key encryption (Figure 11.1b) provides confidentiality but not authentication. To provide authentication, A uses its private key to encrypt the message, and B uses A's public key to decrypt (Figure 11.1c).

13 Authentication Functions (8/14)
There must be some internal structure to the plaintext so that the receiver can distinguish between well-formed plaintext and random bits. The scheme of Figure 11.1c does provide authentication. It also provides what is known as digital signature. To provide both confidentiality and authentication, A can encrypt M first using its private key, which provides the digital signature, and then using B's public key, which provides confidentiality (Figure 11.1d). The disadvantage of this approach is that the public-key algorithm, which is complex, must be exercised four times rather than two in each communication.

14 Key Management (12/14) The risk of compromise of the keys is minimal. At the same time, the communication is secure from eavesdropping. The protocol depicted in Figure 10.5 is insecure against an adversary who can intercept messages and then either relay the intercepted message or substitute another message. Such an attack is known as a man-in-the-middle attack. In this case, if E has control of the intervening communication channel, then E can compromise the communication in the following fashion without being detected: A generates a public/private key pair {PUa, PRa} and transmits a message intended for B consisting of PUa and an identifier of A, IDA. E intercepts the message, creates its own public/private key pair {PUe, PRe} and transmits PUe|| IDA to B. B generates a secret key, Ks, and transmits E(PUe, Ks). E intercepts the message, and learns Ks by computing D(PRe, E(PUe, Ks)). E transmits E(PUa, Ks) to A.

15 Key Management (13/14) Secret Key Distribution with Confidentiality and Authentication Figure 10.6 provides protection against both active and passive attacks. We begin at a point when it is assumed that A and B have exchanged public keys by one of the schemes described earlier in this section. Then the following steps occur: 1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely. 2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B. 3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A. 4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B's public key ensures that only B can read it; encryption with A's private key ensures that only A could have sent it. 5. B computes D(PUa, D(PRb, M)) to recover the secret key.

16 Key Management (14/14) A Hybrid Scheme
Yet another way to use public-key encryption to distribute secret keys is a hybrid approach in use on IBM mainframes. This scheme retains the use of a key distribution center (KDC) that shares a secret master key with each user and distributes secret session keys encrypted with the master key. A public key scheme is used to distribute the master keys. The following rationale is provided for using this three-level approach: Performance: There are many applications, especially transaction-oriented applications, in which the session keys change frequently Backward compatibility: The hybrid scheme is easily overlaid on an existing KDC scheme, with minimal disruption or software changes. The addition of a public-key layer provides a secure, efficient means of distributing master keys. This is an advantage in a configuration in which a single KDC serves a widely distributed set of users.

17 Diffie-Hellman Key Exchange(1/5)
The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms. Briefly, we can define the discrete logarithm in the following way. First, we define a primitive root of a prime number p as one whose powers modulo p generate all the integers from 1 to p-1. That is, if a is a primitive root of the prime number p, then the numbers a mod p, a2 mod p,..., ap1 mod p are distinct and consist of the integers from 1 through p-1 in some permutation. For any integer b and a primitive root a of prime number p, we can find a unique exponent i such that The exponent i is referred to as the discrete logarithm of b for the base a, mod p. We express this value as dloga,p (b). Diffie-Hellman Key Exchange(1/5)

18 Diffie-Hellman Key Exchange(2/5)
Figure 10.7 summarizes the Diffie-Hellman key exchange algorithm. For this scheme, there are two publicly known numbers: a prime number q and an integer that is a primitive root of q. Suppose the users A and B wish to exchange a key. User A selects a random integer XA < q and computes YA = aXA mod q. Similarly, user B independently selects a random integer XB < q and computes YB = aXB mod q. Each side keeps the X value private and makes the Y value available publicly to the other side. User A computes the key as K = (YB) XA mod q and user B computes the key as K = (YA)XB mod q. These two calculations produce identical results: Diffie-Hellman Key Exchange(2/5)

19 Diffie-Hellman Key Exchange(3/5)
The result is that the two sides have exchanged a secret value. The adversary is forced to take a discrete logarithm to determine the key. For example, to determine the private key of user B, an adversary must compute XB = dloga,q (YB) The adversary can then calculate the key K in the same manner as user B calculates it. The security of the Diffie-Hellman key exchange lies in the fact that it is very difficult to calculate discrete logarithms. For large primes, the latter task is considered infeasible. Here is an example. Key exchange is based on the use of the prime number q = 353 and a = 3. A and B select secret keys XA = 97 and XB = 233, respectively. Each computes its public key: Diffie-Hellman Key Exchange(3/5)

20 Diffie-Hellman Key Exchange(4/5)
Key Exchange Protocols Figure 10.8 shows a simple protocol that makes use of the Diffie-Hellman calculation. Diffie-Hellman Key Exchange(4/5)

21 Diffie-Hellman Key Exchange(5/5)
Man-in-the-Middle Attack The protocol depicted in Figure 10.8 is insecure against a man-in-the-middle attack. Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds as follows: Darth prepares for the attack by generating two random private keys XD1 and XD2 and then computing the corresponding public keys YD1 and YD2. Alice transmits YA to Bob. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA)XD2 mod q. Bob receives YD1 and calculates K1 = (YD1)XB mod q. Bob transmits XA to Alice. Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB)XD1 mod q. Alice receives YD2 and calculates K2 = (YD2)XA mod q. At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret key K1 and Alice and Darth share secret key K2. All future communication between Bob and Alice is compromised Diffie-Hellman Key Exchange(5/5)

22 Elliptic Curve Arithmetic
The key length for secure RSA use has increased over recent years, and this has put a heavier processing load on applications using RSA. Recently, a competing system has begun to challenge RSA: elliptic curve cryptography (ECC). ECC offers equal security for a far smaller key size ECC is fundamentally more difficult to explain than either RSA or Diffie-Hellman Elliptic Curve Arithmetic

23 Elliptic Curve Cryptography (1/5)
The addition operation in ECC is the counterpart of modular multiplication in RSA, and multiple addition is the counterpart of modular exponentiation. To form a cryptographic system using elliptic curves, we need to find a "hard problem" corresponding to factoring the product of two primes or taking the discrete logarithm. Consider the equation Q = kP where Q, P Ep(a, b) and k < p. It is relatively easy to calculate Q given k and P, but it is relatively hard to determine k given Q and P. This is called the discrete logarithm problem for elliptic curves. Consider the group E23(9, 17). This is the group defined by the equation y2 mod 23 = (x3 + 9x + 17) mod 23. What is the discrete logarithm k of Q = (4, 5) to the base P = (16.5)? The brute-force method is to compute multiples of P until Q is found. Thus P = (16, 5); 2P = (20, 20); 3P = (14, 14); 4P = (19, 20); 5P = (13, 10); 6P = (7, 3); 7P = (8, 7); 8P (12, 17); 9P = (4, 5). Because 9P = (4, 5) = Q, the discrete logarithm Q = (4, 5) to the base P = (16, 5) is k = 9. In a real application, k would be so large as to make the brute-force approach infeasible. Elliptic Curve Cryptography (1/5)

24 Elliptic Curve Cryptography (2/5)
Analog of Diffie-Hellman Key Exchange Key exchange using elliptic curves can be done in the following manner. First pick a large integer q and elliptic curve parameters a and b. This defines the elliptic group of points Eq(a, b). Next, pick a base point G = (x1, y1) in Ep(a, b) whose order is a very large value n. The order n of a point G on an elliptic curve is the smallest positive integer n such that nG = O. Eq(a, b) and G are parameters of the cryptosystem known to all participants. A key exchange between users A and B can be accomplished as follows Figure 10.12 A selects an integer nA less than n. This is A's private key. A then generates a public key PA = nA x G; the public key is a point in Eq(a, b). B similarly selects a private key nB and computes a public key PB. A generates the secret key K = nA x PB. B generates the secret key K = nB x PA. The two calculations in step 3 produce the same result because nA x PB = nA x (nB x G) = nB x (nA x G) = nB x PA Elliptic Curve Cryptography (2/5)

25 Elliptic Curve Cryptography (3/5)
Note that the secret key is a pair of numbers. If this key is to be used as a session key for conventional encryption, then a single number must be generated. We could simply use the x coordinates or some simple function of the x coordinate. Elliptic Curve Cryptography (3/5)

26 Elliptic Curve Cryptography (4/5)
Elliptic Curve Encryption/Decryption As with the key exchange system, an encryption/decryption system requires a point G and an elliptic group Eq(a, b) as parameters. Each user A selects a private key nA and generates a public key PA = nA x G. To encrypt and send a message Pm to B, A chooses a random positive integer k and produces the ciphertext Cm consisting of the pair of points: Cm = {kG, Pm + kPB} Note that A has used B's public key PB. To decrypt the ciphertext, B multiplies the first point in the pair by B's secret key and subtracts the result from the second point: Pm + kPB-nB(kG) = Pm + k(nBG)-nB(kG) = Pm A has masked the message Pm by adding kPB to it. Nobody but A knows the value of k, so even though PB is a public key, nobody can remove the mask kPB. However, A also includes a "clue," which is enough to remove the mask if one knows the private key nB. For an attacker to recover the message, the attacker would have to compute k given G and kG, which is assumed hard. Elliptic Curve Cryptography (4/5)

27 Elliptic Curve Cryptography (5/5)
Security of Elliptic Curve Cryptography The security of ECC depends on how difficult it is to determine k given kP and P. This is referred to as the elliptic curve logarithm problem. The fastest known technique for taking the elliptic curve logarithm is known as the Pollard rho method. Table compares various algorithms by showing comparable key sizes in terms of computational effort for cryptanalysis. a considerably smaller key size can be used for ECC compared to RSA. Furthermore, for equal key lengths, the computational effort required for ECC and RSA is comparable. Thus, there is a computational advantage to using ECC with a shorter key length than a comparably secure RSA. Elliptic Curve Cryptography (5/5)

28 Thank you !! Any questions ?? The end

Download ppt "Message Authentication and Hash Functions"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Key Management Nick Feamster CS 6262 Spring 2009.

Key Management Nick Feamster CS 6262 Spring 2009.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.
1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden +46 470 70 86.

1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.

Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.

Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Message Authentication and Hash Functions Chapter 11.

Message Authentication and Hash Functions Chapter 11.
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.

PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Similar presentations

Ads by Google