CryptographySecurity

1
Chapter 11 Message Authentication and Hash
FunctionsGoal A M B 1.
Guarantee no message changed 2. Confirm
the message sent by specified user Chapter
12- Hash Algorithms
Chapter 11 and Chapter 12
2
11.1 Attacks

• Disclosure
• Traffic analysis
• Masquerade (Impersonate)
• Content modification
• Sequence modification
• Timing modification
• Repudiation (Impersonate)

3
Countermeasures
4
11.2 Message authentication

• Authenticator a short string (value) V appended
  to a message M for authenticating the message
• Sender M ? MV
• Receiver MV ? yes/no (authentication)
• Methods (Important) Thinking
• Method-1 Message encryption
• Method-2 Message authentication code
• Method-3 Hash function (Partial properties)
• Focus automatic authentication

5
Message Encryption

• message encryption by itself also provides a
  measure of authentication
• if symmetric encryption is used then
• receiver know sender must have created it
• since only sender and receiver know key used
• know content cannot of been altered
• if message has suitable structure, redundancy or
  a checksum to detect any changes

6
Message Encryption

• if public-key encryption is used
• encryption provides no confidence of sender
• since anyone potentially knows public-key
• however if
• sender signs message using their private-key
• then encrypts with recipients public key
• have both secrecy and authentication
• again need to recognize corrupted messages
• but at cost of two public-key uses on message

7
Encryption for authentication

• First symmetric encryption
• Let M be a message of some bit pattern
• Eg. MX111110000011111
• Authenticator VEK(M)
• Authentication
• Compute DK(V)M
• Check MX111110000011111

8
Encryption for authentication (cont.)

• Second symmetric encryption
• Compute a checksum (frame check sequence)
• Let F be a public checksum function
• Compute CEK(MF(M))
• Authentication
• Compute DK(C)MS
• Check SF(M)

9
Encryption for authentication (cont.)
10
11.3 Message authentication code

• Prerequisite A and B shares a key K
• Can be a session key
• MAC a short fixed-size data block, depending on
  the message M and the shared key K
• MAC(K,M)CK(M)
• Sender MCK(M)
• Receiver on receiving MC
• Compute CCK(M)
• Check whether CC

11
MAC usage
12
MAC example

• The last block of DES-CBC Cipher block chaining
  mode

13
MAC security

• Only A and B who share a key can create a valid
  MAC code for a message M
• Only the designated receiver A or B can
  authenticate the received message
• An attacker cannot modify M without
  re-calculating the MACCK(M)

14
11.4Hash function

• Hash functions H 0,1?0,1m
• m is the fixed-length output
• For example, m128 or 160
• Why m128 or longer ?
• Note
• Hash functions do not use keys (No Masquerade or
  impersonator)
• Hash functions are many-to-one
• It is like strong checksum value.
• It provides the functionalities about the
  received message
• Content modification
• Sequence modification
• Timing modification
• No Masquerade or impersonator
• It must cooperate with other methods (Examples)

15
Recall Encryption for authentication
16
Recall MAC usage
17
Hash function usage
18
Hash function usage (cont.)
19
Hash function requirements

• Easy to compute
• Given x, it is easy to compute H(x)
• Faster than secret-key encryption
• Hard to invert (one-way)
• given a hash value h, it is hard to find any x
  such that H(x)h
• Collision-resistance
• It is hard to find any pair x and y such that
  H(x)H(y)

20
Security

• One-wayness
• Random sampling given h
• Randomly select x1, x2,, xk?0,1
• Compute hiH(xi), 1?i?k
• Compare hhi for 1?i?k
• Complexity O(2m), where m is the length of hash
  values

21
Security (cont.)

• Collision-resistance
• Random sampling
• Randomly select x1, x2,, xk?0,1
• Compute hiH(xi), 1?i?k
• Check whether hihj for some i, j, 1?i,j?k
• Complexity ???

22
Random sampling

• Let n2m
• The probability P(n,k) of finding a collision
  pair (xi, xj) depends on k, the number of random
  samples

23
Random sampling (cont.)

• Question find k such that the probability of
  finding a collision is at least 0.5

24
Random sampling (cont.)
25
Random sampling (cont.)
e-x ? 1-x, for x ? 0
26
Random sampling (cont.)

• To have P(n,k) ? 0.5, we have

• Thus, m must be at least 128-bit long

27
Birthday paradox

• How many people are in a group with two persons
  having the same birthday with probability at
  least 0.5?
• P(365,k)?0.5 ? k?1.18?(365)1/2 ?23

28
Recall Hash function usage
29
Ch13 RSA signature scheme

• Let H be a hashing algorithm, publicly known
• Signing algorithm Sig
• Input ((d,n), M) (0?M?n-1)
• Compute sH(M)d mod n
• Output(s).
• Verification algorithm Ver
• Input ((e,n), M, s) (0?s?n-1)
• Compute hse mod n
• Output yes if and only if hH(M).

30
12.1 Hash Algorithms

• see similarities in the evolution of hash
  functions block ciphers
• increasing power of brute-force attacks
• leading to evolution in algorithms
• from DES to AES in block ciphers
• from MD4 MD5 to SHA-1 RIPEMD-160 in hash
  algorithms
• likewise tend to use common iterative structure
  as do block ciphers

31
MD5

• designed by Ronald Rivest (the R in RSA)
• latest in a series of MD2, MD4
• produces a 128-bit hash value
• until recently was the most widely used hash
  algorithm
• in recent times have both brute-force
  cryptanalytic concerns
• specified as Internet standard RFC1321

32
MD5 Overview

• pad message so its length is 448 mod 512
• append a 64-bit length value to message
• initialise 4-word (128-bit) MD buffer (A,B,C,D)
• process message in 16-word (512-bit) blocks
• using 4 rounds of 16 bit operations on message
  block buffer
• add output to buffer input to form new buffer
  value
• output hash value is the final buffer value

33
MD5

• Step 1 append padding bits
• Step 2 append length of message
• Step 3 initialize MD buffer
• Step 4 process padded messages in 512-bit blocks
• Step 5 Output

34
MD5 diagram
35
12.2 Secure Hash Algorithm(SHA-1)

• SHA was designed by NIST NSA in 1993, revised
  1995 as SHA-1
• US standard for use with DSA signature scheme
• standard is FIPS 180-1 1995, also Internet
  RFC3174
• nb. the algorithm is SHA, the standard is SHS
• produces 160-bit hash values
• now the generally preferred hash algorithm
• based on design of MD4 with key differences

36
Revised Secure Hash Standard

• NIST have issued a revision FIPS 180-2
• adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
  security provided by the AES cipher (recall five
  modes)
• structure detail is similar to SHA-1
• hence analysis should be similar

37
12.3 RIPEMD-160

• RIPEMD-160 was developed in Europe as part of
  RIPE project in 96
• by researchers involved in attacks on MD4/5
• initial proposal strengthen following analysis
  to become RIPEMD-160
• somewhat similar to MD5/SHA
• uses 2 parallel lines of 5 rounds of 16 steps
• creates a 160-bit hash value
• slower, but probably more secure, than SHA

38
RIPEMD-160 Overview

• pad message so its length is 448 mod 512
• append a 64-bit length value to message
• initialise 5-word (160-bit) buffer (A,B,C,D,E) to
  
• (67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
• process message in 16-word (512-bit) chunks
• use 10 rounds of 16 bit operations on message
  block buffer in 2 parallel lines of 5
• add output to input to form new buffer value
• output hash value is the final buffer value

39
RIPEMD-160 verses MD5 SHA-1

• brute force attack harder (160 like SHA-1 vs 128
  bits for MD5)
• not vulnerable to known attacks, like SHA-1
  though stronger (compared to MD4/5)
• slower than MD5 (more steps)
• all designed as simple and compact
• SHA-1 optimised for big endian CPU's vs
  RIPEMD-160 MD5 optimised for little endian CPUs

40
12.4 Keyed Hash Functions as MACs

• have desire to create a MAC using a hash function
  rather than a block cipher
• because hash functions are generally faster
• not limited by export controls unlike block
  ciphers
• hash includes a key along with the message
• original proposal
• KeyedHash Hash(KeyMessage)
• some weaknesses were found with this
• eventually led to development of HMAC

41
HMAC

• specified as Internet standard RFC2104
• uses hash function on the message
• HMACK Hash(K XOR opad)
• Hash(K XOR ipad)M)
• where K is the key padded out to size
• and opad, ipad are specified padding constants
• overhead is just 3 more hash calculations than
  the message needs alone
• any of MD5, SHA-1, RIPEMD-160 can be used

42
HMAC hash function-based MAC (Deatil)

• HMAC(K, H, M) H(K?opad)H(K ?ipad)M
• H embedded hash function, eg. MD5, SHA-1
• M the padded message
• n length of the hash code produced by H
• b the number of bits in a block
• K the shared key, if Kb, K?H(K)
• K K padded with 0s such that Kb
• ipad (00110110)b/8
• opad (01011010)b/8

43
HMAC (cont.)
44
HMAC efficient implementation
45
HMAC Security

• know that the security of HMAC relates to that of
  the underlying hash algorithm
• attacking HMAC requires either
• brute force attack on key used
• birthday attack (but since keyed would need to
  observe a very large number of messages)
• choose hash function used based on speed verses
  security constraints