CSCE 715: Network Systems Security

1
CSCE 715Network Systems Security

• Chin-Tser Huang
• huangct_at_cse.sc.edu
• University of South Carolina

2
Next Topic in Cryptographic Tools

• Symmetric key encryption
• Asymmetric key encryption
• Hash functions and message digest
• Nonce

3
Message Authentication

• Message authentication is concerned with
• protecting the integrity of a message
• validating identity of originator
• non-repudiation of origin (dispute resolution)
• Three alternative functions to provide message
  authentication
• message encryption
• message authentication code (MAC)
• hash function

4
Providing Msg Authentication by Symmetric
Encryption

• Receiver knows sender must have created it
  because only sender and receiver know secret key
• Can verify integrity of content if message has
  suitable structure, redundancy or a checksum to
  detect any modification

5
Providing Msg Authentication by Asymmetric
Encryption

• Encryption provides no confidence of sender
  because anyone potentially knows public key
• However if sender encrypts with receivers public
  key and then signs using its private key, we have
  both confidentiality and authentication
• Again need to recognize corrupted messages
• But at cost of two public-key uses on message

6
Providing Msg Authentication by Asymmetric
Encryption
7
Message Authentication Code (MAC)

• Generated by an algorithm that creates a small
  fixed-sized block
• depending on both message and some key
• like encryption though need not to be reversible
• Appended to message as a signature
• Receiver performs same computation on message and
  checks if it matches the MAC
• Provide assurance that message is unaltered and
  comes from claimed sender

8
Uses of MAC
9
MAC Properties

• Cryptographic checksum
• MAC CK(M)
• condenses a variable-length message M
• using a secret key K
• to a fixed-sized authenticator
• Many-to-one function
• potentially many messages have same MAC
• make sure finding collisions is very difficult

10
Requirements for MACs

• Should take into account the types of attacks
• Need the MAC to satisfy the following
• knowing a message and MAC, it is infeasible to
  find another message with same MAC
• MACs should be uniformly distributed
• MAC should depend equally on all bits of the
  message

11
Using Symmetric Ciphers for MAC

• Can use any block cipher chaining mode and use
  final block as a MAC
• Data Authentication Algorithm (DAA) is a widely
  used MAC based on DES-CBC
• using IV0 and zero-pad of final block
• encrypt message using DES in CBC mode
• and send just the final block as the MAC
• or the leftmost M bits (16M64) of final block
• But final MAC is now too small for security

12
Hash Functions

• Condense arbitrary message to fixed size
• Usually assume that the hash function is public
  and not keyed
• Hash value is used to detect changes to message
• Can use in various ways with message
• Most often to create a digital signature

13
Uses of Hash Functions
14
Uses of Hash Functions
15
Hash Function Properties

• Hash function produces a fingerprint of some
  file/message/data
• h H(M)
• condenses a variable-length message M
• to a fixed-sized fingerprint
• Assumed to be public

16
Requirements for Hash Functions

1. can be applied to any sized message M
2. produce fixed-length output h
3. easy to compute hH(M) for any message M
4. one-way property given h, is infeasible to find
   x s.t. H(x)h
5. weak collision resistance given x, is infeasible
   to find y s.t. H(y)H(x)
6. strong collision resistance infeasible to find
   any x,y s.t. H(y)H(x)

17
Simple Hash Functions

• Several proposals for simple functions
• Based on XOR of message blocks
• Not secure since can manipulate any message and
  either not change hash or change hash also
• Need a stronger cryptographic function

18
Block Ciphers as Hash Functions

• Can use block ciphers as hash functions
• use H00 and zero-pad of final block
• compute Hi EMi Hi-1
• use final block as the hash value
• similar to CBC but without a key
• Resulting hash is too small (64-bit)
• both due to direct birthday attack and to
  meet-in-the-middle attack
• Other variants also susceptible to attack

19
Birthday Attacks

• Might think a 64-bit hash is secure
• However by Birthday Paradox is not
• Birthday attack works as follows
• given hash code length is m, adversary generates
  2m/2 variations of a valid message all with
  essentially the same meaning
• adversary also generates 2m/2 variations of a
  desired fraudulent message
• two sets of messages are compared to find pair
  with same hash (probability gt 0.5 by birthday
  paradox)
• have user sign the valid message, then substitute
  the forgery which will have a valid signature
• If 64-bit hash code is used, level of attack
  effort is only on the order of 232

20
Example with 237 Variations
21
Hash Algorithm Structure
22
MD5

• Designed by Ronald Rivest (the R in RSA)
• Latest in a series of MD2, MD4
• Produce a hash value of 128 bits (16 bytes)
• Was the most widely used hash algorithm
• in recent times have both brute-force and
  cryptanalytic concerns
• Specified as Internet standard RFC1321

23
Security of MD5

• MD5 hash is dependent on all message bits
• Rivest claims security is good as can be
• However known attacks include
• Berson in 1992 attacked any 1 round using
  differential cryptanalysis (but cant extend)
• Boer Bosselaers in 1993 found a pseudo
  collision (again unable to extend)
• Dobbertin in 1996 created collisions on MD
  compression function (but initial constants
  prevent exploit)
• Wang et al announced cracking MD5 on Aug 17, 2004
  (paper available on Useful Links)
• Thus MD5 has become vulnerable

24
Secure Hash Algorithm

• SHA originally designed by NIST NSA in 1993
• Was revised in 1995 as SHA-1
• US standard for use with DSA signature scheme
• standard is FIPS 180-1 1995, also Internet
  RFC3174
• Based on design of MD4 but with key differences
• Produces 160-bit hash values
• Recent 2005 results (Wang et al) on security of
  SHA-1 have raised concerns on its use in future
  applications

25
Revised Secure Hash Standard

• NIST issued revision FIPS 180-2 in 2002
• Adds 3 additional versions of SHA
• SHA-256, SHA-384, SHA-512
• Designed for compatibility with increased
  security provided by the AES cipher
• Structure and detail similar to SHA-1
• Hence analysis should be similar
• But security levels are rather higher

26
SHA-512 Overview

• pad message so its length is 896 mod 1024
• padding length between 1 and 1024
• append a 128-bit length value to message
• initialize 8 64-bit registers (A,B,C,D,E,F,G,H)
• process message in 1024-bit blocks
• expand 16 64-bit words into 80 words by mixing
  shifting
• 80 rounds of operations on message block buffer
  
• add output to input to form new buffer value
• output hash value is the final buffer value

27
SHA-512 Overview
28
SHA-512 Compression Function

• Heart of the algorithm
• Processing message in 1024-bit blocks
• Consists of 80 rounds
• updating a 512-bit buffer
• using a 64-bit value Wt derived from the current
  message block
• and a round constant based on cube root of first
  80 prime numbers

29
SHA-512 Round Function
30
SHA-512 Round Function
31
Whirlpool

• Endorsed by European NESSIE project
• Uses modified AES internals as compression
  function
• Addressing concerns on use of block ciphers seen
  previously
• With performance comparable to dedicated
  algorithms like SHA

32
Whirlpool Overview
33
Whirlpool Block Cipher W

• Designed specifically for hash function use
• With security and efficiency of AES
• But with 512-bit block size and hence hash
• Similar structure functions as AES but
• input is mapped row wise
• has 10 rounds
• a different primitive polynomial for GF(28)
• uses different S-box design values

34
Whirlpool Block Cipher W
35
Whirlpool Performance Security

• Whirlpool is a very new proposal
• Hence little experience with use
• But many AES findings should apply
• Does seem to need more h/w than SHA, but with
  better resulting performance in terms of
  throughput

36
Next Class

• Replay attacks
• Timestamps and nonces
• Anti-replay protocols