Download presentation
Presentation is loading. Please wait.
Published byDominic Kelley Modified over 9 years ago
1
1 Message Authentication and Hash Functions G962110 何采宭
2
2 outline Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of Hash Functions and Macs
3
3 Authentication Requirements In the context of communications across a network, the following attacks can be identified: 1. Disclosure( 洩漏 ) 2. Traffic analysis( 流量分析 ) 3. Masquerade( 偽裝 ) 4. Content modification( 竄改內容 ) 5. Sequence modification( 竄改順序 ) 6. Timing modification( 竄改時序 ) 7. Source repudiation( 來源端否認曾傳送內容 ) 8. Destination repudiation( 目的端否認已收到訊息 )
4
4 Authentication Functions Any message authentication or digital signature mechanism has two levels of functionality 1. At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message 2. This lower-level function is then used as a primitive in a higher-level authentication protocol that enables a receiver to verify the authenticity of a message.
5
5 Authentication Functions the types of functions that may be used to produce an authenticator. These may be grouped into three classes, as follows: 1. Message encryption: The ciphertext of the entire message serves as its authenticator 2. Message authentication code (MAC): A function of the message and a secret key that produces a fixed- length value that serves as the authenticator 3. Hash function : A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator
6
6 Message Encryption Message encryption by itself can provide a measure of authentication. The analysis differs for symmetric and public-key encryption schemes. 1. Symmetric Encryption 2. Public-Key Encryption 3. Message Authentication Code 4. Hash Function
7
7 Symmetric Encryption
8
8 suppose that we are transmitting English-language messages using a Caesar cipher with a shift of one (K = 1). A sends the following legitimate ciphertext: nbsftfbupbutboeepftfbupbutboemjuumfmbnctfbujwz B decrypts to produce the following plaintext: mareseatoatsanddoeseatoatsandlittlelambseativy
9
9 Symmetric Encryption A simple frequency analysis confirms that this message has the profile of ordinary English. On the other hand, if an opponent generates the following random sequence of letters: zuvrsoevgqxlzwigamdvnmhpmccxiuureosfbcebtqxsxq this decrypts to: ytuqrndufpwkyvhfzlcumlgolbbwhttqdnreabdaspwrwp which does not fit the profile of ordinary English.
10
10 Symmetric Encryption force the plaintext to have some structure that is easily recognized but that cannot be replicated without recourse to the encryption function Ex: error-detecting code (frame check sequence, FCS/checksum)
11
11 Public-Key Encryption
12
12 Public-Key Encryption
13
13 Message Authentication Code use of a secret key to generate a small fixed-size block of data that is appended to the message. assumes that two communicating parties, say A and B, share a common secret key K. When A has a message to send to B, it calculates the MAC as a function of the message and the key:MAC = C K (M), where M= input message C= MAC function K= shared secret key MAC= message authentication code
14
14 Message Authentication Code if the received MAC matches the calculated MAC, then The receiver is assured that the message has not been altered The receiver is assured that the message is from the alleged sender. If the message includes a sequence number (such as is used with HDLC, X.25, and TCP), then the receiver can be assured of the proper sequence because an attacker cannot successfully alter the sequence number.
15
15 Message Authentication Code
16
16 Hash Function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M). Unlike a MAC, a hash code does not use a key but is a function only of the input message. The hash code is a function of all the bits of the message and provides an error-detection capability: A change to any bit or bits in the message results in a change to the hash code.
17
17 Hash Function illustrates a variety of ways in which a hash code can be used to provide message authentication, as follows:
18
18 Hash Function
19
19 Hash Function
20
20 Message Authentication Codes A MAC, also known as a cryptographic checksum, is generated by a function C of the form MAC = C K (M) M is a variable-length message K is a secret key shared only by sender and receiver C(K, M) is the fixed-length authenticator. is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult
21
21 Requirements for MACs When an entire message is encrypted for confidentiality, using either symmetric or asymmetric encryption, the security of the scheme generally depends on the bit length of the key. brute-force attack
22
22 Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following: 1. knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message
23
23 Hash Function A hash value h is generated by a function H of the form h = H(M) M is a variable-length message H(M) is the fixed-length hash value
24
24 Requirements for a Hash Function 1. can be applied to any sized message M 2. produces fixed-length output h 3. is easy to compute h=H(M) for any message M 4. given h is infeasible to find x : H(x)=h one-way property 5. given x is infeasible to find y : H(y)=H(x) weak collision resistance 6. is infeasible to find any ( x,y ): H(y)=H(x) strong collision resistance
25
25 Simple Hash Functions One of the simplest hash functions is the bit- by-bit exclusive-OR (XOR) of every block. This can be expressed as follows: C i = b i1 ⊕ b i1 ⊕... ⊕ b im C i = ith bit of the hash code, 1 ≦ i ≦ n M = number of n-bit blocks in the input B ij = ith bit in jth block ⊕ = XOR operation
26
26 Birthday Attacks might think a 64-bit hash is secure Yuval proposed the following strategy: opponent generates 2 m / 2 variations of a valid message all with essentially the same meaning opponent also generates 2 m / 2 variations of a desired fraudulent message two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) have user sign the valid message, then substitute the forgery which will have a valid signature The conclusion to be drawn from this is that the length of the hash code should be substantial
27
27 Block Chaining Techniques number of proposals have been made for hash functions based on using a cipher block chaining technique, but without the secret key. Divide a message M into fixed-size blocks M 1, M 2,..., M N and use a symmetric encryption system such as DES to compute the hash code G as follows: H o = initial value H i = E m i [ H i-1 ] G= H N
28
28 Block Chaining Techniques resulting hash is too small (64-bit) both due to direct birthday attack and to “meet-in-the-middle” attack other variants also susceptible to attack
29
29 Security of Hash Functions and Macs Just as with symmetric and public-key encryption, we can group attacks on hash functions and MACs into two categories: brute-force attacks and cryptanalysis.
30
30 Brute-Force Attacks Hash Functions The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm. Recall from our discussion of hash functions that there are three desirable properties: One-way: For any given code h, it is computationally infeasible to find x such that H(x) = h. Weak collision resistance: For any given block x, it is computationally infeasible to find y x with H(y) = H(x). Strong collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
31
31 Brute-Force Attacks For a hash code of length n, the level of effort required, as we have seen is proportional to the following: One way2n2n Weak collision resistance 2n2n Strong collision resistance 2 n/2
32
32 Brute-Force Attacks Message Authentication Codes A brute-force attack on a MAC is a more difficult undertaking because it requires known message-MAC pairs can either attack keyspace (key search) or MAC at least 128-bit MAC is needed for security
33
33 Cryptanalysis As with encryption algorithms, cryptanalytic attacks on hash functions and MAC algorithms seek to exploit some property of the algorithm to perform some attack other than an exhaustive search.
34
34 Hash Functions CV i = f[CV i-1, M i ]; H(M)=CV L CV i = f[CV i-1, M i ]; H(M)=CV L typically focus on collisions in function f typically focus on collisions in function f like block ciphers is often composed of rounds like block ciphers is often composed of rounds attacks exploit properties of round functions attacks exploit properties of round functions
35
35 Message Authentication Codes The attacks that have been mounted on hash functions are rather complex and beyond our scope here.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.