Message Authentication Codes and Cryptographic Hash Functions

Similar documents
CS408 Cryptography & Internet Security

Data Integrity. Modified by: Dr. Ramzi Saifan

CSCE 715: Network Systems Security

Cryptographic Hash Functions

Introduction to Cryptography. Lecture 6

ENEE 459-C Computer Security. Message authentication

Data Integrity & Authentication. Message Authentication Codes (MACs)

Lecture 1 Applied Cryptography (Part 1)

Data Integrity & Authentication. Message Authentication Codes (MACs)

Cryptographic Hash Functions

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Integrity of messages

Spring 2010: CS419 Computer Security

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

CIS 4360 Secure Computer Systems Symmetric Cryptography

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Message Authentication and Hash function

Introduction to Software Security Hash Functions (Chapter 5)

Lecture 1: Course Introduction

S. Erfani, ECE Dept., University of Windsor Network Security

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Cryptographic hash functions and MACs

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Cryptographic Hash Functions. William R. Speirs

Security Requirements

Cryptographic Concepts

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Network and System Security

CS Computer Networks 1: Authentication

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Message Authentication and Hash function 2

Lecture 4: Authentication and Hashing

COMP4109 : Applied Cryptography

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Unit 8 Review. Secure your network! CS144, Stanford University

Cryptography. Summer Term 2010

Jaap van Ginkel Security of Systems and Networks

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

CIT 480: Securing Computer Systems. Hashes and Random Numbers

Message authentication codes

CS155. Cryptography Overview

Computer Security: Principles and Practice

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Lecture 4: Hashes and Message Digests,

Encryption I. An Introduction

Security: Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CSC574: Computer & Network Security

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Summary on Crypto Primitives and Protocols

David Wetherall, with some slides from Radia Perlman s security lectures.

Cryptography MIS

Digests Requirements MAC Hash function Security of Hash and MAC Birthday Attack MD5 SHA RIPEMD Digital Signature Standard Proof of DSS

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Appendix A: Introduction to cryptographic algorithms and protocols

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

Cryptographic Hash Functions

Introduction to Cryptography

Encryption. INST 346, Section 0201 April 3, 2018

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Chapter 11 Message Integrity and Message Authentication

Information Security CS526

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CS155. Cryptography Overview

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

CSC 474/574 Information Systems Security

e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text

UNIT - IV Cryptographic Hash Function 31.1

Information Security CS526

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

Message authentication

Hash functions & MACs

APNIC elearning: Cryptography Basics

Ref:

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Data Encryption Standard (DES)

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Cryptography and Network Security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Lecture 4: Cryptography III; Security. Course Administration

Multiple forgery attacks against Message Authentication Codes

P2_L8 - Hashes Page 1

Symmetric, Asymmetric, and One Way Technologies

Transcription:

Message Authentication Codes and Cryptographic Hash Functions Readings Sections 2.6, 4.3, 5.1, 5.2, 5.4, 5.6, 5.7 1

Secret Key Cryptography: Insecure Channels and Media Confidentiality Using a secret key cipher such as DES/CBC, we can assure that messages sent on a medium cannot be tapped by an eavesdropper Distribute a secret key between two parties, then use encryption on the sender s side and decryption on the receiver s side using any of the block or stream ciphers Can use the same technique for storing information on a disk: encrypt the information and decrypt when needed Check the tool GnuPG: http://www.gnupg.org/ Integrity? 2

Checksums and CRCs Used to provide integrity checks against random faults. Not sufficient for protection against malicious or intentional modification. Easy to make changes and re-compute the CRC to match. In the past, it was believed that the use of CRCs within encryption was sufficient to provide integrity. However, that is no longer considered adequate: Example: The use of CRCs in the WEP protocol resulted in a serious vulnerability, allowing for powerful active attacks. 3

Message Authentication Code (MAC) A MAC is a cryptographic checksum that serves as an authenticator of the message Generate a fixed length MAC (say 128 bits) from an arbitrary message A secret key is used to generate the MAC MAC should not be invertible The term message integrity code (MIC) is sometimes used and probably more accurate 4

Using MACs K Sender Receiver M MAC M, T M MAC T T 5

MAC using Secret Key System m 1 m 2 m 3 m 4 E E E E c 1 c 2 c 3 c 4 : CBC Residue Interested in integrity; not confidentiality Encrypt message; use last encrypted block as the MAC Send message + CBC residue m 1 m 2 m 3 m 4 c 4 6

Encryption + Integrity False solution: Use a weak (non-cryptographic) checksum inside CBC: May prove to be completely insecure! Possible solutions 1. Use two different keys in CBC mode (expensive). 2. Use a different authentication mechanism, such as HMAC, which still requires processing the data twice, but less computationally costly. 3. Use another encryption mode that provides both encryption and authentication (the future?) Some care must be taken when combining encryption with MACs, in general 7

Order of Encryption/Authentication Encrypt then authenticate: E k (m) MAC k (E k (m)) Generally secure, independent of the mode of encryption used Has the advantage to permit MAC verification before decryption (early compromise detection and avoidance of unnecessary cryptographic operations) 8

Authentication+Encryption Authenticate then encrypt: E k (m, MAC k (m)) Unsafe if a mode other than CBC is used. Provably secure with CBC. Does not permit verification before decryption. Authentication tag can be pre-computed, and remains associated with the original message after decryption. 9

Cryptographic Hash Functions 10

Hash Functions A hash function is a mathematical, efficiently computable function that has fixed size output: F : {0, 1} N {0,1} n, where N > n F: {0, 1}* {0,1} n In cryptography, the first type of hash function is often called a compression function, with the name hash function reserved for the unbounded domain type. Note: a hash function does not have a key and anyone can compute the same hash from the same message. However keyed hashes do use a key 11

Cryptographic Hash Functions Map a large space of values to a small space Hash values, also called message digests Cannot be easily invertible Examples: MD2, MD4, MD5 (128 bits), SHA-1(160 bits) SHA-2 (256/224 bits, 512/384 bits) What does it mean for a hash function to be broken? 12

Cryptographic Hash Functions The security of hash functions is defined empirically, if the following problems are found to be computationally infeasible: One way: Given y, find x such that h(x) = y Second pre-image resistant: Given x, find y x such that h(x) = h(y) Collision-resistant: Find y, x, with y x such that h(x) = h(y) Can you prove that collision resistant (also called strong collision resistant) implies second pre-image resistant (also called weak collision resistant)? 13

One Way Function: what is computationally infeasible? Given y, find x such that h(x) = y An inverse problem If it is a cryptographic hash function with 128 bit digest, need to try about half of the messages to find a message that maps to y. Need to try about 2 127 messages This should be computationally infeasible. 14

Second pre-image resistant - computational cost Given x, find y x such that h(x) = h(y) Try messages to find some y that maps to the same value as x. For a 128 bit digest, the expected number of messages to try is again about 2 127 messages for a 0.5 probability of success 15

Collision Resistant - computational cost Find y, x, with y x such that h(x) = h(y) For a cryptographic hash function, this requires solving the birthday problem, which is about 2 64 messages for a 128 bit message digest Note that collision resistant second pre-image resistant Use (A B is the same as B A) Read more about the birthday problem http://en.wikipedia.org/wiki/birthday_problem 16

Constructing Hash Functions Since constructing secure hash functions is a difficult problem, the following approach has been taken in practice: Construct a good compression function. Since the domain of compression functions are small they are easier to test for the desired properties. Use the MD construction (next) to turn a one-way, collision-resistant compression function into a hash function with similar properties. 17

Merkle-Damgard (MD) 18

A Somewhat Different View constant digest digest digest padded message one block one block one block msg digest 19

MD5 (Message Digest 5) Invented by Ron Rivest Considered broken and unsuitable for further use. Produce 128 bit message digest Assumes 32-bit words Let M be message to hash Pad M so length is 448 (mod 512) Single 1 bit followed by 0 bits At least one bit of padding, at most 512 Length before padding (64 bits) is appended After padding message is a multiple of the 512-bit block size 20

MD5 For 32-bit words A,B,C, define F(A,B,C) = (A B) ( A C) G(A,B,C) = (A C) (B C) H(A,B,C) = A B C I(A,B,C) = B (A C) selection function selection function Where,,, are AND, OR, NOT, XOR, respectively 21

MD5 Start out with 128 bit constant 4 words (A, B, C, D) Operates in rounds (for each message block) 4 rounds, 64 steps Each round manipulates state using message block Unique additive constant each step Each step adds result of previous step Round 0: Steps 0 thru 15, uses F function Round 1: Steps 16 thru 31, uses G function Round 2: Steps 32 thru 47, uses H function Round 3: Steps 48 thru 63, uses I function 22

MD5: One Step Illustration K: unique constant in each step (32 bits) W: 32 bit block of input message 32 * 16 = 512 +: binary sum (carry out of high order discarded) <<<: left shift 23

SHA-1 (Secure Hash Algorithm) Operation is similar to MD5 more similar to MD4, which we did not discuss In particular, the nonlinear functions used Produce 160 bit message digest 4 rounds, 20 steps each (for each message block) One of the series developed by NSA Security attacks: 2 51, instead of 2 80 brute force, as of 2008 SHA-3 development underway 24

SHA-1: One Step Illustration 25

Applications of Hash Functions System integrity protection: For password verification, eliminating the need to keep passwords As building blocks for message authentication codes (MACs) and digital signature algorithms. How to compute hash-based MAC? 26

Message Extension Attacks Since most hash functions are built using the Merkle- Damgard construction, they are vulnerable to lengthextension attacks: Given h(m) and length of M = len(m), but not M, an adversary can find h(m M ) for chosen M. Secret key based MACs can be used to provide integrity of message transmission to prevent this attack How about hash-based MAC? Can we add secret key into hash-based MAC? Also called Length Extension Attacks 27

Integrity Protection without Secret Key based MAC h(k m) for integrity (know m and h()) Concatenate a secret key K with a message m and then use a cryptographic hash function h(m K) (know m and h()) Concatenate the secret key K at the end Which (if either) is better? 28

H(K M)? Hashes computed in blocks Recall h(m 0,M 1 ) = F(h(M 0 ),M 1 ) Let M = (M,X) Then h(k,m ) = F(h(K,M),X) Trudy can compute HMAC of M without K Defeats the purpose of HMAC Length extension attack 29

How about H(M K)? Is this better than h(k,m)? If h(m ) = h(m) then h(m,k) = F(h(M),K) = F(h(M ),K) = h(m,k) In this case, Trudy can compute HMAC without knowing the key K But collision must be known Better than h(k,m), but we can do better 30

Building MACs from Hash Functions HMAC is a MAC from hash functions. Hash-based message authentication code Let h be the hash function. Assume L = block length of compression function input Let K be the key, K be the key padded with 0 s to length L. HMAC(K, M) = h(k opad h(k ipad M) ) ipad = 0x363636...3636 opad = 0x5c5c5c...5c5c (both of length L) 31

HMAC Key 0 0X5C5C 0X3636 message digest digest Why is it resilient to length extension attacks? 32

Reading Assignment Paper 7 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback