Chap 11. Message Authentication and Hash Functions

1
Chap 11.Message Authentication and Hash
Functions
2
Contents

• Authentication Requirements
• Authentication Functions
• Message Authentication Codes (MACs)
• Hash Functions
• Security of Hash Functions and MACs

3
Authentication Requirements
Authentication Requirements

• Kind of attacks in the context of communications
  across a network
• Disclosure
• Traffic analysis
• Masquerade
• Content modification
• Sequence modification
• Timing modification
• Source repudiation
• Destination repudiation

Confidentiality
Message Authentication
Digital Signature
Specialized Digital Signature
4
Authentication Requirements
Authentication Requirements

• Message authentication
• A procedure to verify that received messages come
  from the alleged source and have not been altered
• Message authentication may also verify sequencing
  and timeliness
• Digital signature
• An authentication technique that also includes
  measures to counter repudiation by the source

5
Authentication Functions
Authentication Functions

• Message authentication or digital signature
  mechanism can be viewed as having two levels
• At lower level there must be some sort of
  functions producing an authenticator a value to
  be used to authenticate a message
• This lower level functions is used as primitive
  in a higher level authentication protocol
• Three classes of functions that may be used to
  produce an authenticator
• Message encryption
• Ciphertext itself serves as authenticator
• Message authentication code (MAC)
• A function of the message and a secret key that
  produces a fixed-length value that serves as the
  authenticator
• Hash function
• A function that maps a message of any length into
  a fixed-length hash value that serves as the
  authenticator

6
Message Encryption
Authentication Functions

• Symmetric encryption can serve as authenticator
• Symmetric encryption provides authentication as
  well as confidentiality
• Requires recognizable plaintext or other
  structure to distinguish between well-formed
  legitimate plaintext and meaningless random bits
• e.g., ASCII text, an appended checksum, or use of
  layered protocols
• Public-key encryption also can serve as
  authenticator

7
Basic Uses of Message Encryption
Authentication Functions
8
Authentication Functions
Basic Uses of Message Encryption
9
Basic Uses of Message Encryption
10
Authentication Functions
Ways of Providing Structure - 1

• Append an error-detecting code (frame check
  sequence (FCS) or checksum) to each message
  before encryption

11
Authentication Functions
Ways of Providing Structure - 2

• Suppose all the datagrams except the IP header is
  encrypted.
• If an opponent substituted some arbitrary bit
  pattern for the encrypted TCP segment, the
  resulting plaintext would not include a
  meaningful header
• Checksum
• Sequence number

12
Message Authentication Code
Authentication Functions

• Uses a shared secret key to generate a fixed-size
  block of data (known as a cryptographic checksum
  or MAC) that is appended to the message
• MAC CK(M), where C is a MAC function
• Assurances
• Message has not been altered
• Message is from the alleged sender
• Message sequence is unaltered (requires internal
  sequencing)
• Similar to encryption but MAC algorithm need not
  be reversible

13
Authentication Functions
Basic Uses of MAC
14
Authentication Functions
Basic Uses of MAC
15
Why Use MACs?
Authentication Functions

• Why not just use encryption?
• Cleartext stays clear
• MAC might be cheaper
• Sometimes only authentication is needed
• Broadcast
• Authentication of executable codes
• Sometimes need authentication to persist longer
  than the encryption (e.g., archival use)
• Separation of authentication and confidentiality
  provides architectural flexibility
• MAC does not provide a digital signature
• Because both sender and receiver share the same
  key

16
Hash Function
Authentication Functions

• One-way hash function
• Converts a variable size message M into fixed
  size hash code H(M) (Sometimes called a message
  digest)
• Unlike the MAC, a hash code does not use a key
  but is a function only of the input message
• Provides message integrity
• Can be used with encryption or a shared key for
  authentication
• E(M H(M)) identical to the internal error
  control strategy
• M E(H(M)) a MAC
• M signed H typical digital signature
• E(M signed H)
• M H(M K) keyed hash (no encryption)
• E(M H(M K))

17
Authentication Functions
Basic Uses of Hash Function
18
Authentication Functions
Basic Uses of Hash Function
19
Authentication Functions
Basic Uses of Hash Function
20
Message Authentication Codes
MACs

• MAC CK(M)
• M is a variable-length message
• K is a key shared only by sender and receiver
• MAC is the fixed-length authenticator
• Key length requirements
• Sufficient key length to thwart brute-force
  attack
• On average, require 2k-1 attempts for a k-bit key

21
Brute-force Attacks on MACs
MACs

• Let k key length, n MAC length
• Suppose confidentiality is not employed
  i.e., the opponent has access to plaintext
  messages and their associated MACs
• If k gt n
• Brute force gives 2(k-n) candidate keys
• Given a known M1 and MAC1, with MAC1 CK1(M1),
  the cryptanalyst can perform MACi
  CKi(M1) for all possible key values Ki.
• At least one key is guaranteed to produce a match
  
• On average, a total of 2k/2n 2(k-n) keys will
  produce a match
• Second round (a new M and MAC) reduces this to
  2(k-2n) candidate keys
• On average, this requires ?k/n? rounds
• If k ? n, one round should suffice

22
Attacks on MACs
MACs

• Other attacks are possible, depending on the MAC
  algorithm
• E.g., consider the following MAC algorithm
• Let M (X1 X2 Xm) be a message that
  is treated as a concatenation of 64-bit blocks Xi
• Define ?(M) X1 ? X2 ? ? ? ? ? Xm CK(M)
  EK?(M)
• The opponent can attack the system as follows
• Replace Xi by Yi for i 1 to m-1
• Calculate Ym to produce the right checksum, and
  replace Xm by Ym
• Ym Y1 ? Y2 ? ? ? ? ? Ym-1 ? ?(M)
• The new message, Y1 thru Ym, with the original
  MAC will be accepted as authentic by the receiver
• With this tactic, any message of length 64 ?
  (m-1) bits can be fraudulently inserted

23
Requirements for MAC Functions
MACs

• Assume that an opponent knows the MAC function C
  but does not know K. Then the MAC function should
  have the following properties
• Given M and Ck(M), it must be computationally
  infeasible to construct M s.t. Ck(M) Ck(M)
• CK(M) should be uniformly distributed in the
  sense that for any M and M, PrCk(M) Ck(M)
  should be 2-n, where n is the length of the MAC
• Let M be equal to some known transformation on
  M. That is, M f(M). In that case, PrCk(M)
  Ck(M) 2-n.

24
MAC Based on DES (CBC-MAC)
MACs

• Last block of CBC mode of DES, with IV 0
• Referred to as Data Authentication Algorithm
  (FIPS PUB 113 and ANSI standard (X9.17))
• Security weaknesses have been discovered and it
  is being replaced (refer to Chap.12 CMAC)
• Data Authentication Code (DAC) consists of 16 to
  64 leftmost bits of ON

25
Hash Functions
Hash Functions

• h H(M)
• M is a variable-length message
• h is a fixed-length hash value
• H is a hash function
• The hash value is appended at the source
• The receiver authenticates the message by
  recomputing the hash value
• Because the hash function itself is not
  considered to be secret, some means is required
  to protect the hash value

26
Hash Function Requirements
Hash Functions

• H can be applied to any size data block
• H produces fixed-length output
• H(x) is relatively easy to compute for any given
  x
• H is one-way, i.e., given h, it is
  computationally infeasible to find any x s.t. h
  H(x)
• H is weakly collision resistant given x, it is
  computationally infeasible to find any y ? x s.t.
  H(x) H(y)
• H is strongly collision resistant it is
  computationally infeasible to find any x and y
  s.t. H(x) H(y)

27
Hash Function Requirements
Hash Functions

• (1) One-way property is essential for
  authentication
• (2) Weak collision resistance is necessary to
  prevent forgery
• (3) Strong collision resistance is important for
  resistance to birthday attack
• Relationships among the properties
• (3) implies (2)
• (3) implies (1)

28
Simple Hash Functions
Hash Functions

• Operation of hash functions
• The input is viewed as a sequence of n-bit blocks
• The input is processed one block at a time in an
  iterative fashion to produce an n-bit hash
  function
• Simplest hash function Bitwise XOR of every
  block
• Ci bi1 ? bi2 ? ? bim
• Ci i-th bit of the hash code, 1 ? i ? n
• m number of n-bit blocks in the input
• bij i-th bit in j-th block
• Known as longitudinal redundancy check
• Not useful as a one-way function
• Less effective in some cases
• E.g., if only 7-bit out of 8-bit characters is
  used in text files, the 128-bit hash value is
  effectively 112-bit
• We will encounter strong hash functions in Chap.12

29
Simple Hash Functions
Hash Functions

• Improvement over the simple bitwise XOR
  (Rotated XOR)
• Initially set the n-bit hash value to zero
• Process each successive n-bit block of data as
• Rotate the current hash value to the left by one
  bit
• XOR the block into the hash value
• Effect on randomizing the input

30
Iterated Hash Functions
Hash Function

• Suppose that f 0,1nb ? 0,1n is a
  compression function (where b ? 1).
• CV0 IV initial n-bit value,
• CVi f(CVi-1, Yi-1), 1 ? i ? L,
• H(M) CVL ,
• where the input to the hash function is a
  message M consisting of the blocks Y0, Y1, ,
  YL-1

31
Iterated Hash Functions
Hash Function

• Merkle-Damgård Construction
• If the compression function is collision
  resistant, then so is the resultant iterated hash
  function (formal proof is given)
• The problem of designing a secure hash function
  reduces to that of designing a collision-resistant
  compression function that operates on inputs of
  some fixed size
• Secure Hash Algorithm (SHA-1)
• An iterated hash function with a 160-bit message
  digest
• In 2005, NIST announced the intension to phase
  out approval of SHA-1
• Collisions in the complete hash function SHA-1
  were found using 269 operations
• Far fewer than the 280 operation previously
  thought
• SHA-256, SHA-384, and SHA-512 are recommended

32
Birthday Paradox for Birthday Attack
Birthday Attack

• Given a hash function H with n possible outputs
  and a specific value h, how many random inputs
  must we test before our chance of finding some x
  s.t. h H(x) is greater than 1/2 ?
• Obviously it is n/2
• For any single value y, Prh H(y) 1/n
• Equivalently, Prh ? H(y) 1 - 1/n
• If we generate k random values, the probability
  that none of them matches h is 1 - 1/nk
• The binomial theorem states that(1-a)k 1 - ka
  - (k(k-1)/2!)a2 (k(k-1)(k-2)/3!)a3
• For small a, this is approximately 1 - ka
• So the probability that one of the k random
  values matches is 1 - (1 - 1/n)k ?
  k/n
• For probability 1/2, k ? n/2

33
Birthday Paradox
Birthday Attack

• Given k random inputs, what is the chance that
  any two of them produce the same output?
• Let Prn, k be the probability that among k
  independently selected random values taken from n
  possible values, there is at least one duplicate
  value
• Let Q(n, k) denote the probability of no
  duplicates
• Let N(k) be the number of different ways we can
  have k values with no duplicates
• N(1) n
• N(2) n ? n-1
• N(3) n ? n-1 ? n-2
• N(k) n ? n-1 ? n-2 ? n-k1 n! / (n-k)!
• Q(n, k) n! / ((n-k)! ? nk)
• If we allow duplicates, the number of selections
  is nk
• Prn, k 1 - Q(n, k)
• Example Pr365, k is approximately 1/2 when k
  is 23.

34
Birthday Paradox
Birthday Attack
23
35
Birthday Paradox - Generalization
Birthday Attack

• Rewriting,
• Prn, k 1 - (n ? (n-1) ? ? (n-k1))/nk
  1 - (n-1)/n ? (n-2)/n ? ? (n-k1)/n
  1 - (1 - 1/n) ? (1 - 2/n) ? ? (1 -
  (k-1)/n)
• Because (1-x) ? e-x for all x ? 0, we can write
• Prn, k ? 1 - (e-1/n ? e-2/n ? ?
  e-(k-1)/n) ? 1 - e-(1/n 2/n
  (k-1)/n) ? 1 - e-(k(k-1))/2n
• Solving for Prn, k ? 0.5,
• 1/2 1 - e-(k(k-1))/2n, so 1/2
  e-(k(k-1))/2n, so 2 e(k(k-1))/2n, so
  ln(2) (k(k-1))/2n
• For large k, k ? k-1, giving ln(2) ? k2/2n
• So k ? 1.18 ?n
• In rough terms, k ? ?n

36
Birthday Paradox - Generalization
Birthday Attack

• Let a hash function H have m-bit output (i.e., 2m
  possible outputs). What is the value of k s.t.
  if H is applied to k random inputs, a duplicate
  is likely? (i.e., H(x) H(y) for some inputs x
  and y)
• Approximately k ? 2m/2

37
Birthday Paradox Overlap b/w Two Sets
Birthday Attack

• Given a random variable that is an integer with
  uniform distribution between 1 and n and two sets
  of k instances (k ? n) of the random variable,
  let R(n, k) be the probability that two sets are
  not disjoint i.e., the probability that there is
  at least one value found in both.
• What value of k is required s.t. R(n,k) gt 0.5 ?
• Approximately k ? ?n
• Suppose we have a hash function H, with 2m
  possible outputs (i.e., an m-bit output). Apply H
  to k random inputs to produce the set X and again
  to k additional random inputs to produce the set
  Y.
• What must be the value of k so that there is the
  probability of at least one match between the two
  sets i.e., H(x) H(y) for some inputs x ? X, y
  ? Y ?
• Approximately k ? 2m/2

38
Birthday Attack
Birthday Attack

• If the adversary can generate 2m/2 variants of a
  valid message and an equal number of fraudulent
  messages
• The two sets are compared to find one message
  from each set with a common hash value
• The valid message is offered for signature
• The fraudulent message with the same hash value
  is inserted in its place
• If a 64-bit hash code is used, the level of
  effort is only on the order of 232
• Conclusion the length of the hash code must be
  substantial

39
Birthday Attack
Generating 2m/2 Variants of Valid Messages

• Insert a number of
• space-backspace-space
• character pairs between
• words throughout the
• document.
• Variations could then be
• generated by substituting
• space-backspace-space
• in selected instances
• Alternatively, simply
• reword the message but
• retain the meaning

40
Block Chaining Techniques
Hash Function

• Hash functions based on using a cipher block
  chaining technique, but without the secret key
• Rabins proposal
• Divide a message M into fixed-size blocks M1, M2,
  , MN and use a symmetric encryption system such
  as DES to compute the hash code G as follows
• H0 initial value
• Hi EMiHi-1
• G HN
• Similar to CBC technique, but no secret key
• As with any hash code, subject to the birthday
  attack
• If DES is used, and only a 64-bit hash code is
  produced, then the system is vulnerable
• Another version of birthday attack is possible

41
Birthday Attack to Block Chaining
Hash Function

• Meet-in-the-Middle Attack
• Assume the opponent intercepts a message with a
  signature in the form of an encrypted hash code
  and the unencrypted hash code is m bits long
• Use the algorithm (Rabins) to calculate the
  unencrypted hash code G
• Construct any desired message in the form Q1, Q2,
  , QN-2
• Compute Hi EQiHi-1 for 1 ? i ? (N-2)
• Generate 2m/2 random blocks for each block X,
  compute EXHN-2. Generate an additional 2m/2
  random blocks for each block Y, compute DYG.
• Based on birthday paradox, with high probability
  there will be an X and Y s.t. EXHN-2 DYG
• Form the message Q1, Q2, , QN-2, X, Y. This
  message has the hash code G and therefore can be
  used with the intercepted encrypted signature

42
Brute-Force Attack of Hash Functions
Security of Hash Functions and MACs

• Three desirable properties of hash functions
• One-way For any given code h, it is
  computationally infeasible to find x s.t. H(x)
  h
• Weak collision resistance For any given block x,
  it is computationally infeasible to find y ? x
  s.t. H(y) H(x)
• Strong collision resistance It is
  computationally infeasible to find any pair (x,
  y) s.t. H(y) H(x)
• Brute-force attack on n-bit hash code
• One-way and weak collision require 2n effort
• Strong collision requires 2n/2 effort
• If strong collision resistance is required (and
  this is desirable for a general-purpose secure
  hash code), 2n/2 determines the strength of hash
  code against brute-force attack
• Currently, two most popular hash codes, SHA-1 and
  RIPEMD-160, provide a 160-bit hash code length
• However, even 160 bits is now considered weak

43
Brute-Force Attack of MACs
Security of Hash Functions and MACs

• Desired security property of a MAC algorithm
• Computation resistance Given one or more
  text-MAC pairs (xi, CK(xi)), it is
  computationally infeasible to compute any
  text-MAC pair (x, CK(x)) for any new input x ? xi
• Brute-force attack on key space or MAC space
• Brute-force key space search for k-bit key
• Overall effort is roughly 2k
• Brute-force MAC space search for n-bit MAC value
• Require chosen text-MAC pairs or knowledge of the
  key
• Overall effort is roughly 2n
• The level of effort for brute-force attack on a
  MAC algorithm is min(2k, 2n)
• It is required min(k, n) ? N, where N ? 128

44
Chapter 11 Homework

• Prob. 11.4, 11.7
• Due by June 16, 2006