1. Cryptography and Network Security Chapter 11
Fourth Edition
by William Stallings
Lecture slides by Lawrie Brown/Mod. & S. Kondakci
Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 4/e, by William Stallings, Chapter 11 – “Message Authentication and Hash Functions”.

2. Message Authentication
message authentication is concerned with:
protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)
considers a set of security requirements
Three alternative functions used:
message encryption
message authentication code (MAC)
hash function
Up untill now, have been concerned with protecting message content (ie secrecy) by encrypting the message. Will now consider how to protect message integrity (ie protection from modification), as well as confirming the identity of the sender. Generically this is the problem of message authentication, and in eCommerce applications is arguably more important than secrecy. Message Authentication is concerned with: protecting the integrity of a message, validating identity of originator, & non-repudiation of origin (dispute resolution). There are three types of functions that may be used to produce an authenticator: message encryption, message authentication code (MAC), or a hash function.

3. A Set of Security Requirements
disclosure
traffic analysis
masquerade
content modification
sequence modification
timing modification
source repudiation
destination repudiation
In the context of communications across a network, the attacks listed above can be identified.
The first two requirements belong in the realm of message confidentiality, and are handled using the encryption techniques already discussed.
The remaining requirements belong in the realm of message authentication. At its core this addresses the issue of ensuring that a message comes from the alleged source and has not been altered. It may also address sequencing and timeliness. The use of a digital signature can also address issues of repudiation by the source.

4. Symmetric-key Message Encryption
message encryption by itself also provides a measure of authentication
if symmetric encryption is used then:
receiver knows sender must have created it
since only sender and receiver know key used they know that content cannot have been altered by others than themselves
Message encryption by itself can provide a measure of authentication. Here, the ciphertext of the entire message serves as its authenticator, on the basis that only those who know the appropriate keys could have validly encrypted the message. This is provided you can recognize a valid message (ie if the message has suitable structure such as redundancy or a checksum to detect any changes).

5. public-key Message Encryption
If public-key encryption is used:
encryption provides no confidence of sender since anyone potentially knows public-key
however if
sender signs message using their private-key then encrypts with recipients public key thus, have both secrecy and authentication
With public-key techniques, can get a digital signature which can only have been created by key owner. But at cost of two public-key operations at each end on message.

6. Message Authentication Code (MAC)
MAC provides assurance that message is unaltered and comes from certain sender.
generated by an algorithm that creates a small fixed-sized block
depending on both message and some key
like encryption though need not be reversible
A MAC is appended to message as a signature
receiver performs same computation on the received message and checks wheathr it matches the MAC appended
An alternative authentication technique involves the use of a secret key to generate a small fixed-size block of data, known as a cryptographic checksum or MAC that is appended to the message. This technique assumes that two communicating parties, say A and B, share a common secret key K. A MAC function is similar to encryption, except that the MAC algorithm need not be reversible, as it must for decryption.

7. Message Authentication Codes
MAC provides authentication but can also use encryption for secrecy
generally use separate keys for each
can compute MAC either before or after encryption: generally regarded as better done before
why use a MAC?
sometimes only authentication is needed
sometimes we need authentication to persist longer than the encryption (eg. archival use)
Can combine use of MAC with encryption in various ways to provide both authentication & secrecy.
Use MAC in circumstances where just authentication is needed (or needs to be kept), see text for examples.
A MAC is NOT a digital signature since both sender & receiver share key and could create it.

8. MAC Properties A MAC is a cryptographic checksum
MAC = CK(M)
condenses a variable-length message M using a secret key K to a fixed-sized authenticator
A MAC is a many-to-one function
potentially many messages have same MAC
but finding these can be very difficult
A MAC, also known as a cryptographic checksum,is generated by a function C. The MAC is appended to the message at the source at a time when the message is assumed or known to be correct. The receiver authenticates that message by re-computing the MAC.
The MAC function is a many-to-one function, since potentially many arbitrarily long messages can be condensed to the same summary value, but don’t want finding them to be easy!

9. Requirements for MACs
Taking into account the types of attacks, MAC should satisfy the following aspects:
knowing a message and MAC, it should be infeasible to find another message with the same MAC
MACs should be uniformly distributed
MAC should depend equally on all bits of the message
In assessing the security of a MAC function, we need to consider the types of attacks that may be mounted against it. Hence it needs to satisfy the listed requirements.
The first requirement deals with message replacement attacks, in which an opponent is able to construct a new message to match a given MAC, even though the opponent does not know and does not learn the key.
The second requirement deals with the need to thwart a brute-force attack based on chosen plaintext.
The final requirement dictates that the authentication algorithm should not be weaker with respect to certain parts or bits of the message than others.

10. Symmetric Ciphers for MACs
Can use any block cipher with chaining mode and use final block as a MAC
Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC
using IV=0 and zero-pad of final block
encrypts message using DES in CBC mode
and sends just the final block as the MAC
or the leftmost M bits (16≤M≤64) of final block
but final MAC is now too small for security!
Can also use block cipher chaining modes to create a separate authenticator, by just sending the last block. This was done with the Data Authentication Algorithm (DAA), a widely used MAC based on DES-CBC (next slide). However this suffers from being too small for acceptable use today.

11. Cipher Block Modes of Operation
Cipher Block Chaining Mode (CBC)
The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block.
Repeating pattern of 64-bits are not exposed 11

12. 12

13. CBC Encryption & Decryption

14. Data Authentication Algorithm (FIPS PUB 113)

15. Data Authentication Algorithm
Stallings Figure 11.6 “Data Authentication Algorithm”, illustrates the FIPS PUB 113 / ANSI X9.17 MAC based on DES-CBC with IV 0 and 0-pad of the final block if needed. Resulting MAC can be bits of the final block. But this is now too small for security.
FIPS PUB 113

16. Hash Functions condenses arbitrary message to fixed size
h = H(M)
usually assumed that the hash function is public and not keyed
Hashes are used to detect changes to message
can be used in various ways with messages
mostly used to create digital signatures
A variation on the message authentication code is the one-way hash function. As with the message authentication code, a hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M). Unlike a MAC, a hash code does not use a key but is a function only of the input message. The hash code is also referred to as a message digest or hash value.

17. Hash Functions & Digital Signatures
Stallings Figure 11.5c “Basic Uses of Hash Functions” shows the hash being “signed” with the senders private key, thus forming a digital signature.

18. Requirements for Hash Functions
can be applied to any sized message M
produces fixed-length output h
is easy to compute h=H(M) for any message M
one-way property: given h it should be infeasible to find x s.t. H(x)=h
weak collision resistance: given x it should be infeasible to find y s.t. H(y)=H(x)
strong collision resistance: it should be infeasible to find any x,y s.t. H(y)=H(x)
The purpose of a hash function is to produce a “fingerprint”of a file, message, or other block of data.
These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions & block ciphers, and in the evolution of the design requirements on both.

19. Simple Hash Functions There are several proposals for simple functions
based on XOR of message blocks
not secure since can manipulate any message and either not change hash or change hash also
need a stronger cryptographic function
All hash functions operate using the following general principles. The input (message, file,etc.) is viewed as a sequence of n-bit blocks, processed one block at a time in an iterative fashion to produce an n-bit hash function. Can construct a range of possible simple hash functions by just XOR’ing blocks with rotates etc. None of these are secure, since can predict how changes to message affect the resulting hash.

20. Secure Hash Algorithm SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1
US standard for use with DSA signature scheme
standard is FIPS , also Internet RFC3174
based on design of MD4 with key differences
produces 160-bit hash values
recent 2005 results on security of SHA-1 have raised concerns on its use in future applications
The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard (FIPS 180) in 1993; a revised version was issued as FIPS in 1995 and is generally referred to as SHA-1. The actual standards document is entitled Secure Hash Standard. SHA is based on the hash function MD4 and its design closely models MD4. SHA-1 produces a hash value of 160 bits. In 2005, a research team described an attack in which two separate messages could be found that deliver the same SHA-1 hash using 2^69 operations, far fewer than the 2^80 operations previously thought needed to find a collision with an SHA-1 hash [WANG05]. This result should hasten the transition to newer, longer versions of SHA.
NIST = National Institute of Standards and Technology
NSA = National Security Agency

21. Secure Hash Function

22. Hash Algorithm Structure
Most important modern hash functions follow the basic structure shown in this figure, Stallings Figure This has proved to be a fundamentally sound structure, and newer designs simply refine the structure and add to the hash code length. Within this basic structure, two approaches have been followed in the design of the compression function, as mentioned previously, which is the basic building block of the hash function.

23. Revised Secure Hash Standard
NIST issued revision FIPS in 2002
adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512
designed for compatibility with increased security provided by the AES cipher
structure & detail is similar to SHA-1
hence analysis should be similar
but security levels are rather higher
In 2002, NIST produced a revised version of the standard, FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512. These new versions have the same underlying structure and use the same types of modular arithmetic and logical binary operations as SHA-1, hence analyses should be similar. In 2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on the other SHA versions by See Stallings Table12.1 for comparative details of these algorithms.

24. SHA-512 Overview
Now examine the structure of SHA-512, noting that the other versions are quite similar.
SHA-512 follows the structure depicted in Stallings Figure The processing consists of the following steps:
• Step 1: Append padding bits
• Step 2: Append length
• Step 3: Initialize hash buffer
• Step 4: Process the message in 1024-bit (128-word) blocks, which forms the heart of the algorithm
• Step 5: Output the final state value as the resulting hash
See text for details.

25. Keyed Hash Functions as MACs
Need a MAC based on a hash function
because hash functions are generally faster
code for cryptographic hash functions widely available
hash includes a key along with message
original proposal:
KeyedHash = Hash(Key|Message)
some weaknesses were found with this
eventually led to development of HMAC
In recent years, there has been increased interest in developing a MAC derived from a cryptographic hash function. A hash function such as SHA was not designed for use as a MAC and cannot be used directly for that purpose because it does not rely on a secret key. There have been a number of proposals for the incorporation of a secret key into an existing hash algorithm, originally by just pre-pending a key to the message. Problems were found with these earlier, simpler proposals, but they resulted in the development of HMAC.

26. HMAC specified as Internet standard RFC2104
uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
where K+ is the key padded out to size
and opad (5C Hex), ipad (36 Hex) are specified padding constants
overhead is just 3 more hash calculations than the message needs alone
any hash function can be used
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
The idea of a keyed hash evolved into HMAC, designed to overcome some problems with the original proposals. It involves hashing padded versions of the key concatenated with the message, and then with another outer hash of the result prepended by another padded variant of the key. The hash function need only be used on 3 more blocks than when hashing just the original message (for the two keys + inner hash). HMAC can use any desired hash function, and has been shown to have the same security as the underlying hash function. Can choose the hash function to use based on speed/security concerns.

27. HMAC Overview ipad = 36 hex opad = 5C hex
Stallings Figure shows the structure of HMAC, which implements the function:
HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)]
elements are:
K+ is K padded with zeros on the left so that the result is b bits in length
ipad is a pad value of 36 hex repeated to fill block
opad is a pad value of 5C hex repeated to fill block
M is the message input to HMAC (including the padding specified in the embedded hash function)
ipad = 36 hex
opad = 5C hex

28. HMAC Security
proved security of HMAC relates to that of the underlying hash algorithm
attacking HMAC requires either:
brute force attack on key used
birthday attack (but since keyed would need to observe a very large number of messages)
choose hash function used based on speed verses security constraints
The appeal of HMAC is that its designers have been able to prove an exact relationship between the strength of the embedded hash function and the strength of HMAC. The security of a MAC function is generally expressed in terms of the probability of successful forgery with a given amount of time spent by the forger and a given number of message-MAC pairs created with the same key. Have two classes of attacks: brute force attack on key used which has work of order 2^n; or a birthday attack which requires work of order 2^(n/2) - but which requires the attacker to observe 2^n blocks of messages using the same key - very unlikely. So even MD5 is still secure for use in HMAC given these constraints.

29. Typical Digital Signature Approach
Henric Johnson

30. Obtaining a User’s Certificate
Characteristics of certificates generated by CA:
Any user with access to the public key of the CA can recover the user public key that was certified.
No part other than the CA can modify the certificate without this being detected.
Henric Johnson

31. X.509 CA Hierarchy
Henric Johnson

32. Revocation of Certificates
Reasons for revocation:
The users secret key is assumed to be compromised.
The user is no longer certified by this CA.
The CA’s certificate is assumed to be compromised.
Henric Johnson