Download presentation
Presentation is loading. Please wait.
1
© The McGraw-Hill Companies, Inc., 2007 訊息鑑別 (Message Authentication)
2
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 2 8.1 前言 8.2 單向赫序函數 8.3 文件訊息完整性驗證 8.4 MD5 8.5 SHA 8.6 文件訊息的來源驗證 8.7 文件訊息鑑別碼 本章內容
3
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 3 8.1 前言 在網路上公開的傳送文件訊息 (Document or Message) 很容易遭到駭客攔截竄改、新增、或 刪除等攻擊。 – 需對文件訊息作完整性 (Integrity) 驗證。 該文件訊息是否確實為某人所送過來的文件訊 息,而非由他人假冒。 – 需驗證訊息的來源是否正確。
4
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 4 ◎ 單向赫序函數二個主要功能 (1) 將文件訊息打散及重組,使其不能再還原為 原始文件訊息。 (2) 將任意長度的文件訊息壓縮成固定長度的訊 息摘要。 ◎ 數學式子 MD=H(M) H(.) :一單向赫序函數 M :表一任意長度文件訊息 8.2 單向赫序函數
5
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 5 ◎ 單向赫序函數三種特性 (1) 給定文件訊息 M ,可很容易算出其對應的訊息摘 要 MD 。 (2) 給定一訊息摘要 MD ,很難從 MD 去找到一個文 件訊息 M 〞,使 H(M 〞 )= MD 。 (3) 給定一文件訊息 M ,很難再找到另一文件訊息 M 〞,使 H(M)=H(M 〞 ) 。 單向赫序函數特性
6
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 6 ◎ 以單向赫序函數做文件訊息的完整驗證,其驗證 方式如下: 8.3 文件訊息完整性驗證
7
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 7 8.4 MD5 MD5 was developed by Ron Rivest at MIT Arbitrary Length Message MD5 128- bit Message MD5 was developed by Ron Rivest at MIT Arbitrary Length Message MD5 128- bit Message Introduction
8
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 8
9
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 9 MD5 Message Digest Algorithm
10
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 10 MD5 Message Digest Algorithm (續) Initial Vector, IV A: 01 23 45 67 B: 89 AB CD EF C: FE DC BA 98 D: 76 54 32 10 Note: hexadecimal values
11
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 11 MD5 Processing of a Single 512-bit Block F, T[1…16], X[i] 16 steps ++++ G, T[17…32], X[ρ 2 i] 16 steps H, T[33…48], X[ρ 3 i] 16 steps I, T[49…64], X[ρ 4 i] 16 steps ABCD ABCD ABCD ABCD 32 128 CV q CV q+1 YqYq 512 F, G, H, I: four primitive logical function T[i]: Table T, constructed from the sine function X[k]: Array X + : addition modulo 2 32 MD5 Compression Function
![訊息鑑別 © The McGraw-Hill Companies, Inc., MD5 Processing of a Single 512-bit Block F, T[1…16], X[i] 16 steps ++++ G, T[17…32], X[ρ 2 i] 16 steps H, T[33…48], X[ρ 3 i] 16 steps I, T[49…64], X[ρ 4 i] 16 steps ABCD ABCD ABCD ABCD CV q CV q+1 YqYq 512 F, G, H, I: four primitive logical function T[i]: Table T, constructed from the sine function X[k]: Array X + : addition modulo 2 32 MD5 Compression Function](http://images.slideplayer.com./16/5120722/slides/slide_11.jpg "訊息鑑別 © The McGraw-Hill Companies, Inc., MD5 Processing of a Single 512-bit Block F, T[1…16], X[i] 16 steps ++++ G, T[17…32], X[ρ 2 i] 16 steps H, T[33…48], X[ρ 3 i] 16 steps I, T[49…64], X[ρ 4 i] 16 steps ABCD ABCD ABCD ABCD CV q CV q+1 YqYq 512 F, G, H, I: four primitive logical function T[i]: Table T, constructed from the sine function X[k]: Array X + : addition modulo 2 32 MD5 Compression Function")
12
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 12 MD5 Compression Function Primitive Logical Function
13
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 13 MD5 Compression Function (續) Table T T[i] = 2 32 abs(sin(i)) sin: sine function Example:
![訊息鑑別 © The McGraw-Hill Companies, Inc., MD5 Compression Function (續) Table T T[i] = 2 32 abs(sin(i)) sin: sine function Example:](http://images.slideplayer.com./16/5120722/slides/slide_13.jpg "訊息鑑別 © The McGraw-Hill Companies, Inc., MD5 Compression Function (續) Table T T[i] = 2 32 abs(sin(i)) sin: sine function Example:")
14
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 14 MD5 Compression Function (續) Array X X[k]: Array X, X[k] = M[q 16 + k] = the kth 32-bit word in the qth 512-bit block of the message Permutation ρ ρ 2 (i) = (1 + 5i) mod 16 ρ 3 (i) = (5 + 3i) mod 16 ρ 4 (i) = 7i mod 16
![訊息鑑別 © The McGraw-Hill Companies, Inc., MD5 Compression Function (續) Array X X[k]: Array X, X[k] = M[q 16 + k] = the kth 32-bit word in the qth 512-bit block of the message Permutation ρ ρ 2 (i) = (1 + 5i) mod 16 ρ 3 (i) = (5 + 3i) mod 16 ρ 4 (i) = 7i mod 16](http://images.slideplayer.com./16/5120722/slides/slide_14.jpg "訊息鑑別 © The McGraw-Hill Companies, Inc., MD5 Compression Function (續) Array X X[k]: Array X, X[k] = M[q 16 + k] = the kth 32-bit word in the qth 512-bit block of the message Permutation ρ ρ 2 (i) = (1 + 5i) mod 16 ρ 3 (i) = (5 + 3i) mod 16 ρ 4 (i) = 7i mod 16")
15
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 15 Elementary MD5 Operation (single step) ABCD g + ABCD + + CLS s + X[k] T[i] CLSs: <<< s, Circular Left Shift s bits Primitive Logical Function
![訊息鑑別 © The McGraw-Hill Companies, Inc., Elementary MD5 Operation (single step) ABCD g + ABCD + + CLS s + X[k] T[i] CLSs: <<< s, Circular Left Shift s bits Primitive Logical Function](http://images.slideplayer.com./16/5120722/slides/slide_15.jpg "訊息鑑別 © The McGraw-Hill Companies, Inc., Elementary MD5 Operation (single step) ABCD g + ABCD + + CLS s + X[k] T[i] CLSs: <<< s, Circular Left Shift s bits Primitive Logical Function")
16
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 16 8.5 Secure Hash Algorithm (SHA-1) IntroductionIntroduction SHA was developed by the National Institute of Standard and Technology(NIST) SHA was published as a federal information processing standard(FIPS PUB 180) in 1993 Maximum length of less than 2 64 Message SHA 160-bit Message SHA was developed by the National Institute of Standard and Technology(NIST) SHA was published as a federal information processing standard(FIPS PUB 180) in 1993 Maximum length of less than 2 64 Message SHA 160-bit Message
17
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 17 ANSI : American National Standards Institute ( 美國 國家標準局 ) ANSI 是美國主要的標準訂定單位,它 負責訂定許多資訊處理方面的定義及標準。 ANSI 是代表出席 ISO 的美國代表。 NIST : National Institute of Standards and Technology ( 美國國家標準技術局 ) 美國國家標準技術局 ( 前身 為 National Bureau of Standards) 隸屬美國商業部, 是發展標準的主要生力軍, NIST 底下的電腦科學 技術局 (The Institute for Computer Sciences and Technology) 為美國研發並出版 FIPS 標準 (Federal Information Processing Standards) ,聯邦機構依此標 準購買電腦設備。
18
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 18 FIPS : Federal Information Processing Standards (聯 邦資訊處理標準)聯邦資訊處理標準是美國聯邦政 府用來定義政府機構購買資訊系統的要求條件以及 審核電腦及通訊系統的一套標準。常以 FIPS PUB xxxx 形式表達。
19
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 19 Secure Hash Algorithm (SHA-1) (續)
20
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 20 Initial Vector, IV A: 67 45 23 01 B: EF CD AB 89 C: 98 BA DC FE D: C3 D2 E1 F0 E: C3 D2 E1 F0 Note: hexadecimal values Secure Hash Algorithm (SHA-1) (續)
21
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 21 SHA-1 Processing of a Single 512-bit Block f 1, K, W[1…19] 20 steps ++++ f 2, K, W[20…39] 20 steps f 3, K, W[40…59] 20 steps f 4, K, W[60…70] 20 steps ABCD ABCD ABCD ABCD 32 160 CV q CV q+1 YqYq 512 + E E E E f: primitive logical function K t : an additive constant; four distinct values are used, as defined previously W t : a 32-bit word derive from the current 512-bit input block + : addition modulo 2 32 SHA-1 Compression Function
![訊息鑑別 © The McGraw-Hill Companies, Inc., SHA-1 Processing of a Single 512-bit Block f 1, K, W[1…19] 20 steps ++++ f 2, K, W[20…39] 20 steps f 3, K, W[40…59] 20 steps f 4, K, W[60…70] 20 steps ABCD ABCD ABCD ABCD CV q CV q+1 YqYq E E E E f: primitive logical function K t : an additive constant; four distinct values are used, as defined previously W t : a 32-bit word derive from the current 512-bit input block + : addition modulo 2 32 SHA-1 Compression Function](http://images.slideplayer.com./16/5120722/slides/slide_21.jpg "訊息鑑別 © The McGraw-Hill Companies, Inc., SHA-1 Processing of a Single 512-bit Block f 1, K, W[1…19] 20 steps ++++ f 2, K, W[20…39] 20 steps f 3, K, W[40…59] 20 steps f 4, K, W[60…70] 20 steps ABCD ABCD ABCD ABCD CV q CV q+1 YqYq E E E E f: primitive logical function K t : an additive constant; four distinct values are used, as defined previously W t : a 32-bit word derive from the current 512-bit input block + : addition modulo 2 32 SHA-1 Compression Function")
22
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 22 SHA-1 Compression Function Primitive Logical Function
23
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 23 SHA-1 Compression Function (續)
24
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 24 SHA-1 Compression Function (續) Four Additive Constant, K t Step NumberHexadecimal 0 t 19 K t = 5A827999 20 t 39 K t = 6ED9EBA1 40 t 59 K t = 8F1BBCDC 60 t 79 K t = CA62C1D6
25
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 25 SHA-1 Compression Function (續) YqYq W0W0 W1W1 W 15 XOR S1S1 W 16 XOR S1S1 S1S1 WtWt W 79 512 bitsW0W0 W2W2 W6W6 W8W8 W t-16 W t-14 W t-8 W t-3 W 63 W 65 W 71 W 76 ……… S k : <<< k, Circular Left Shift k bits Array W W t = S 1 (W t-16 W t-14 W t-8 W t-3 )
26
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 26 Elementary SHA-1 Operation (single step) ABCD ftft + ABCD + + + E E S5S5 S 30 WtWt KtKt
27
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 27 Comparison of SHA-1 and MD5 Security: –SHA-1 is more stronger against brute-force attacks than MD5 –MD5 is vulnerable to cryptanalytic attacks, but SHA-1 is not Speed: –SHA-1 execute more slowly than MD5 Simplicity and Compactness: –Both algorithm are simple to describe and simple to implement
28
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 28 8.6 文件訊息的來源驗證 單向赫序函數雖然可用來作訊息的完整性驗 證但實際運用上卻是行不通的。 問題在於沒有對訊息的來源作鑑別。
29
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 29 植基於對稱式密碼系統的文件訊息鑑別機制 ◎ 以對稱式密碼系統來作為文件訊息鑑別機制,其 驗證方式如下:
30
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 30 植基於公開金鑰密碼系統的文件訊息鑑別機制 ◎ 以公開金鑰密碼系統來做數位簽章,其文件訊息 鑑別方式如下:
31
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 31 植基於金鑰相依單向赫序函數的文件訊息鑑別機制 ◎為改善前面兩種方法需大量運算的缺點,便有了植基於金 鑰相依單向赫序函數,此種機制又稱文件訊息鑑別碼 ( MAC ) :
32
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 32 8.7 文件訊息鑑別碼 ◎ 文件訊息鑑別碼 ( Message Authentication Code,MAC ) 可用來驗證文件訊息是否為約定 好通訊的雙方所傳送,並可驗證文件訊息在 傳遞過程中是否遭到竄改。
33
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 33 利用對稱式密碼系統及單向赫序函數所構成的 MAC
34
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 34 CBC-MAC
35
訊息鑑別 © The McGraw-Hill Companies, Inc., 2007 35 單向赫序函數 MAC 這種 MAC 類型是利用一單向赫序函數,配合一祕密 金鑰所構成的文件訊息鑑別碼。 此類的文件訊息鑑別碼機制也可讓使用者自行來 決定要採用何種單向赫序函數,在實作上相當便利 也具有彈性。 串接方式可以是 H(K||M) ,但不安全。較安全的串接 方式是 H(M||K) 、 H(K 1 ||M||K 2 ) 、 H(K,H(K||M)) 、 H(K 1,H(K 2 ||M))
Similar presentations
