Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Transcription

1 Unit III Chapter 1: Message Authentication and Hash Functions Overview: Message authentication is a mechanism or service used to verify the integrity of a message. Message authentication assures that data received are exactly as sent by (i.e., contain no modification, insertion, deletion, or replay) and that the purported identity of the sender is valid. Symmetric encryption provides authentication among those who share the secret key. Encryption of a message by a sender's private key also provides a form of authentication. The two most common cryptographic techniques for message authentication are a message authentication code (MAC) and a secure hash function. A MAC is an algorithm that requires the use of a secret key. A MAC takes a variablelength message and a secret key as input and produces an authentication code. A recipient in possession of the secret key can generate an authentication code to verify the integrity of the message. A hash function maps a variable-length message into a fixed length hash value, or message digest. For message authentication, a secure hash function must be combined in some fashion with a secret key. Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the security requirements then three alternative functions used:

2 message encryption message authentication code (MAC) hash function Authentication Requirements In the context of communications across a network, the following attacks can be identified: 1. Disclosure: Release of message contents to any person or process not possessing the appropriate cryptographic key. 2. Traffic analysis: Discovery of the pattern of traffic between parties. In a connectionoriented application, the frequency and duration of connections could be determined. In either a connection-oriented or connectionless environment, the number and length of messages between parties could be determined. 3. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation of messages by an opponent that are purported to come from an authorized entity. Also included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the message recipient. 4. Content modification: Changes to the contents of a message, including insertion, deletion, transposition, and modification. 5. Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and reordering. 6. Timing modification: Delay or replay of messages. In a connection-oriented application, an entire session or sequence of messages could be a replay of some previous valid session, or individual messages in the sequence could be delayed or replayed. In a connectionless application, an individual message (e.g., datagram) could be delayed or replayed. 7. Source repudiation: Denial of transmission of message by source. 8. Destination repudiation: Denial of receipt of message by destination.

3 Authentication Functions Any message authentication or digital signature mechanism has two levels of functionality. At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message. This lower-level function is then used as a primitive in a higherlevel authentication protocol that enables a receiver to verify the authenticity of a message. This section is concerned with the types of functions that may be used to produce an authenticator. These may be grouped into three classes, as follows: Message encryption: The ciphertext of the entire message serves as its authenticator Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator Hash function: A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator Message Encryption message encryption by itself also provides a measure of authentication if symmetric encryption is used then: receiver know sender must have created it since only sender and receiver now key used know content cannot of been altered if message has suitable structure, redundancy or a checksum to detect any changes if public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key however if

4 sender signs message using their private-key then encrypts with recipients public key have both secrecy and authentication again need to recognize corrupted messages but at cost of two public-key uses on message

5 Message Authentication Code (MAC) An alternative authentication technique involves the use of a secret key to generate a small fixed-size block of data, known as a cryptographic checksum or MAC that is appended to the message. This technique assumes that two communicating parties, say A and B, share a common secret key K. When A has a message to send to B, it calculates the MAC as a function of the message and the key:mac = C(K, M), where M C K = input message = MAC function = shared secret key MAC = message authentication code 1. The receiver is assured that the message has not been altered. If an attacker alters the message but does not alter the MAC, then the receiver's calculation of the MAC will

6 differ from the received MAC. Because the attacker is assumed not to know the secret key, the attacker cannot alter the MAC to correspond to the alterations in the message. 2. The receiver is assured that the message is from the alleged sender. Because no one else knows the secret key, no one else could prepare a message with a proper MAC. 3. If the message includes a sequence number (such as is used with HDLC, X.25, and TCP), then the receiver can be assured of the proper sequence because an attacker cannot successfully alter the sequence number.

7 MAC Properties a MAC is a cryptographic checksum MAC = C K (M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following: 1. knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode

8 and send just the final block as the MAC or the leftmost M bits (16 M 64) of final block but final MAC is now too small for security Hash Functions condenses arbitrary message to fixed size h = H(M) usually assume that the hash function is public and not keyed cf. MAC which is keyed hash used to detect changes to message can use in various ways with message most often to create a digital signature Requirements for Hash Functions 1. can be applied to any sized message M 2. produces fixed-length output h 3. is easy to compute h=h(m) for any message M 4. given h is infeasible to find x s.t. H(x)=h one-way property 5. given x is infeasible to find y s.t. H(y)=H(x) weak collision resistance 6. is infeasible to find any x,y s.t. H(y)=H(x) strong collision resistance

9 Basic Uses of Hash Function Simple Hash Functions are several proposals for simple functions based on XOR of message blocks

10 not secure since can manipulate any message and either not change hash or change hash also need a stronger cryptographic function (next chapter) Birthday Attacks might think a 64-bit hash is secure but by Birthday Paradox is not birthday attack works thus: opponent generates 2 m/2 variations of a valid message all with essentially the same meaning opponent also generates 2 m/2 variations of a desired fraudulent message two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) have user sign the valid message, then substitute the forgery which will have a valid signature conclusion is that need to use larger MAC/hash Block Ciphers as Hash Functions can use block ciphers as hash functions using H 0 =0 and zero-pad of final block compute: H i = E Mi [H i-1 ] and use final block as the hash value similar to CBC but without a key resulting hash is too small (64-bit)

11 both due to direct birthday attack and to meet-in-the-middle attack other variants also susceptible to attack Hash Functions & MAC Security like block ciphers have: brute-force attacks exploiting strong collision resistance hash have cost 2 m/2 have proposal for h/w MD5 cracker 128-bit hash looks vulnerable, 160-bits better MACs with known message-mac pairs can either attack keyspace (cf key search) or MAC at least 128-bit MAC is needed for security cryptanalytic attacks exploit structure like block ciphers want brute-force attacks to be the best alternative have a number of analytic attacks on iterated hash functions CV i = f[cv i-1, M i ]; H(M)=CV N typically focus on collisions in function f like block ciphers is often composed of rounds attacks exploit properties of round functions Summary have considered:

12 message authentication using message encryption MACs hash functions general approach & security Key Terms authenticator hash function one-way hash function birthday attack hash value strong collision resistance birthday paradox message authentication weak collision resistance compression function cryptographic checksum hash code message authentication code (MAC) message digest Review Questions 1 What types of attacks are addressed by message authentication? 2 What two levels of functionality comprise a message authentication or digital signature mechanism? 3 What are some approaches to producing message authentication? 4 When a combination of symmetric encryption and an error control code is used for message authentication, in what order must the two functions be performed?

13 5 What is a message authentication code? 6 What is the difference between a message authentication code and a one-way hash function? 7 In what ways can a hash value be secured so as to provide message authentication? 8 Is it necessary to recover the secret key in order to attack a MAC algorithm? 9 What characteristics are needed in a secure hash function? 10 What is the difference between weak and strong collision resistance? 11 What is the role of a compression function in a hash function? Chapter2: Hash and MAC Algorithms Overview: The compression function used in secure hash algorithms falls into one of two categories: a function specifically designed for the hash function or a symmetric block cipher. SHA and Whirlpool are examples of these two approaches, respectively. Message authentication codes also fall into two categories; those based on the use of a secure hash algorithm and those based on the use of a symmetric block cipher. HMAC and CMAC are examples of these two approaches, respectively. Hash and MAC Algorithms Hash Functions condense arbitrary size message to fixed size by processing message in blocks through some compression function either custom or block cipher based Message Authentication Code (MAC) fixed sized authenticator for some message

14 to provide authentication for message by using block cipher mode or hash function Hash Algorithm Structure Secure Hash Algorithm SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1 US standard for use with DSA signature scheme standard is FIPS , also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications Revised Secure Hash Standard NIST issued revision FIPS in 2002 adds 3 additional versions of SHA

15 SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher HMAC: 1. Cryptographic hash functions such as MD5 and SHA-1 generally execute faster in software than symmetric block ciphers such as DES. 2. Library code for cryptographic hash functions is widely available. HMAC Design Objectives RFC 2104 lists the following design objectives for HMAC: To use, without modifications, available hash functions. In particular, hash functions that perform well in software, and for which code is freely and widely available. To allow for easy replaceability of the embedded hash function in case faster or more secure hash functions are found or required. To preserve the original performance of the hash function without incurring a significant degradation. To use and handle keys in a simple way. To have a well understood cryptographic analysis of the strength of the authentication mechanism based on reasonable assumptions about the embedded hash function. HMAC Algorithm The following figure illustrates the overall operation of HMAC. Define the following terms: H IV M = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) = initial value input to hash function = message input to HMAC(including the padding specified in the embedded hash function) Y i = ith block of M, 0 i (L - 1) L = number of blocks in M

16 H b n K K + ipad = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) = number of bits in a block = length of hash code produced by embedded hash function = secret key recommended length is n; if key length is greater than b; the key is input to the hash function to produce an n-bit key = K padded with zeros on the left so that the result is b bits in length = (36 in hexadecimal) repeated b/8 times opad = (5C in hexadecimal) repeated b/8 times Figure HMAC Structure Then HMAC can be expressed as follows: HMAC(K,M) = H[(K + opad) H[(K + ipad) M]]

17 In words, 1. Append zeros to the left end of K to create a b-bit string K + (e.g., if K is of length 160 bits and b = 512 then K will be appended with 44 zero bytes 0 x 00). 2. XOR (bitwise exclusive-or) K + with ipad to produce the b-bit block S i. 3. Append M to S i. 4. Apply H to the stream generated in step XOR K + with opad to produce the b-bit block S o 6. Append the hash result from step 4 to S o 7. Apply H to the stream generated in step 6 and output the result. HMAC Security proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages) choose hash function used based on speed verses security constraints Summary have considered: some current hash algorithms SHA-512 & Whirlpool HMAC authentication using hash function CMAC authentication using a block cipher Key Terms big endian CMAC HMAC little endian compression function

18 Review Questions 1 What is the difference between little-endian and big-endian format? 2 What basic arithmetical and logical functions are used in SHA? 3 What basic arithmetical and logical functions are used in Whirlpool? 4 Why has there been an interest in developing a message authentication code derived from a cryptographic hash function as opposed to one derived from a symmetric cipher? 5 What changes in HMAC are required in order to replace one underlying hash function with another? Chapter3: Digital Signatures and Authentication Protocols Overview: A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature. The signature is formed by taking the hash of the message and encrypting the message with the creator's private key. The signature guarantees the source and integrity of the message. Mutual authentication protocols enable communicating parties to satisfy themselves mutually about each other's identity and to exchange session keys. In one-way authentication, the recipient wants some assurance that a message is from the alleged sender. The digital signature standard (DSS) is an NIST standard that uses the secure hash algorithm (SHA). Digital Signatures The digital signature is analogous to the handwritten signature. It must have the following properties: It must verify the author and the date and time of the signature. It must to authenticate the contents at the time of the signature. It must be verifiable by third parties, to resolve disputes. Thus, the digital signature function includes the authentication function.

19 On the basis of these properties, we can formulate the following requirements for a digital signature: The signature must be a bit pattern that depends on the message being signed. The signature must use some information unique to the sender, to prevent both forgery and denial. It must be relatively easy to produce the digital signature. It must be relatively easy to recognize and verify the digital signature. It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message. It must be practical to retain a copy of the digital signature in storage. Direct Digital Signatures involve only sender & receiver assumed receiver has sender s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender s private-key Arbitrated Digital Signatures Arbitrated Digital Signature Techniques (1) X A: M E(K xa, [ID X H(M)]) (2) A Y: E(K ay, [ID X M E(K xa, [ID X H(M)]) T]) (a) Conventional Encryption, Arbiter Sees Message (1) X A: ID X E(K xy, M) E(K xa, [ID X H(E(K xy, M))]) (2) A Y: E(K ay,[id X E(K xy, M)]) E(K xa, [ID X H(E(K xy, M)) T]) (b) Conventional Encryption, Arbiter Does Not See Message

20 Arbitrated Digital Signature Techniques (1) X A: M E(K xa, [ID X H(M)]) (1) X A: ID X E(PR x, [ID X E(PU y, E(PR x, M))]) (2) A Y: E(PR a, [ID X E(PU y, E(PR x, M)) T]) (c) Public-Key Encryption, Arbiter Does Not See Message Notation: X Y A M T = sender = recipient = Arbiter = message = timestamp Authentication Protocols used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are confidentiality to protect session keys timeliness to prevent replay attacks published protocols are often found to have flaws and need to be modified Mutual Authentication Simple replay: The opponent simply copies a message and replays it later. Repetition that can be logged: An opponent can replay a timestamped message within the valid time window.

21 Repetition that cannot be detected: This situation could arise because the original message could have been suppressed and thus did not arrive at its destination; only the replay message arrives. Backward replay without modification: This is a replay back to the message sender. This attack is possible if symmetric encryption is used and the sender cannot easily recognize the difference between messages sent and messages received on the basis of content. One approach to coping with replay attacks is to attach a sequence number to each message used in an authentication exchange. A new message is accepted only if its sequence number is in the proper order. The difficulty with this approach is that it requires each party to keep track of the last sequence number for each claimant it has dealt with. Because of this overhead, sequence numbers are generally not used for authentication and key exchange. Instead, one of the following two general approaches is used: Timestamps: Party A accepts a message as fresh only if the message contains a timestamp that, in A's judgment, is close enough to A's knowledge of current time. This approach requires that clocks among the various participants be synchronized. Challenge/response: Party A, expecting a fresh message from B, first sends B a nonce (challenge) and requires that the subsequent message (response) received from B contain the correct nonce value. Symmetric Encryption Approaches as discussed previously can use a two-level hierarchy of keys usually with a trusted Key Distribution Center (KDC) each party shares own master key with KDC KDC generates session keys used for connections between parties master keys used to distribute these to them Needham-Schroeder Protocol original third-party key distribution protocol for session between A B mediated by KDC protocol overview is: 1. A->KDC: ID A ID B N 1 2. KDC -> A: E Ka [Ks ID B N 1 E Kb [Ks ID A ] ]

22 3. A -> B: E Kb [Ks ID A ] 4. B -> A: E Ks [N 2 ] 5. A -> B: E Ks [f(n 2 )] used to securely distribute a new session key for communications between A & B but is vulnerable to a replay attack if an old session key has been compromised then message 3 can be resent convincing B that is communicating with A modifications to address this require: timestamps (Denning 81) using an extra nonce (Neuman 93) Let us follow this exchange step by step. 1. A initiates the authentication exchange by generating a nonce, N a, and sending that plus its identifier to B in plaintext. This nonce will be returned to A in an encrypted message that includes the session key, assuring A of its timeliness. 2. B alerts the KDC that a session key is needed. Its message to the KDC includes its identifier and a nonce, N b This nonce will be returned to B in an encrypted message that includes the session key, assuring B of its timeliness. B's message to the KDC also includes a block encrypted with the secret key shared by B and the KDC. This block is used to instruct the KDC to issue credentials to A; the block specifies the intended recipient of the credentials, a suggested expiration time for the credentials, and the nonce received from A. 3. The KDC passes on to A B's nonce and a block encrypted with the secret key that B shares with the KDC. The block serves as a "ticket" that can be used by A for subsequent authentications, as will be seen. The KDC also sends to A a block encrypted with the secret key shared by A and the KDC. This block verifies that B has received A's initial message (ID B ) and that this is a timely message and not a replay (N a ) and it provides A with a session key (K s ) and the time limit on its use (T b ). 4. A transmits the ticket to B, together with the B's nonce, the latter encrypted with the session key. The ticket provides B with the secret key that is used to decrypt E(K s, N b ) to recover the nonce. The fact that B's nonce is encrypted with the session key authenticates that the message came from A and is not a replay.

23 Using Public-Key Encryption have a range of approaches based on the use of public-key encryption need to ensure have correct public keys for other parties using a central Authentication Server (AS) various protocols exist using timestamps or nonces Denning AS Protocol Denning 81 presented the following: 1. A -> AS: ID A ID B 2. AS -> A: E PRas [ID A PU a T] E PRas [ID B PU b T] 3. A -> B: E PRas [ID A PU a T] E PRas [ID B PU b T] E PUb [E PRas [K s T]] note session key is chosen by A, hence AS need not be trusted to protect it timestamps prevent replay but require synchronized clocks One-Way Authentication required when sender & receiver are not in communications at same time (eg. ) have header in clear so can be delivered by system may want contents of body protected & sender authenticated Using Symmetric Encryption can refine use of KDC but can t have final exchange of nonces, vis: 1. A->KDC: ID A ID B N 1 2. KDC -> A: E Ka [Ks ID B N 1 E Kb [Ks ID A ] ] 3. A -> B: E Kb [Ks ID A ] E Ks [M] does not protect against replays could rely on timestamp in message, though delays make this problematic

24 Public-Key Approaches have seen some public-key approaches if confidentiality is major concern, can use: A->B: E PUb [Ks] E Ks [M] has encrypted session key, encrypted message if authentication needed use a digital signature with a digital certificate: A->B: M E PRa [H(M)] E PRas [T ID A PU a ] with message, signature, certificate Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000 uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS (2000) includes alternative RSA & elliptic curve signature variants The DSS Approach

25 The Digital Signature Algorithm creates a 320 bit signature with bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes DSA Key Generation have shared global public key values (p,q,g): choose a large prime p with 2 L-1 < p < 2 L where L= 512 to 1024 bits and is a multiple of 64 choose q with < q < such that q is a 160 bit prime divisor of (p-1) choose g = h (p-1)/q where 1<h<p-1 and h (p-1)/q mod p > 1 users choose private & compute public key: choose x<q

26 compute y = g x mod p DSA Signature Creation to sign a message M the sender: generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be reused then computes signature pair: r = (g k mod p)mod q s = [k -1 (H(M)+ xr)] mod q sends signature (r,s) with message M DSA Signature Verification having received M & signature (r,s) to verify a signature, recipient computes: w = s -1 mod q u1= [H(M)w ]mod q u2= (rw)mod q v = [(g u1 y u2 )mod p ]mod q if v=r then signature is verified see book web site for details of proof why Summary have discussed: digital signatures authentication protocols (mutual & one-way) digital signature algorithm and standard

27 Key Terms arbiter arbitrated digital signature mutual authentication nonce direct digital signature digital signature digital signature algorithm (DSA) digital signature standard (DSS) one-way authentication replay attack suppress-replay attack timestamp Review Questions 1 List two disputes that can arise in the context of message authentication. 2 What are the properties a digital signature should have? 3 What requirements should a digital signature scheme satisfy? 4 What is the difference between direct and arbitrated digital signature? 5 In what order should the signature function and the confidentiality function be applied to a message, and why? 6 What are some threats associated with a direct digital signature scheme? 7 Give examples of replay attacks. 8 List three general approaches to dealing with replay attacks. 9 What is a suppress-replay attack?