Lecture 2: Message Authentication - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Lecture 2: Message Authentication

Description:

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security – PowerPoint PPT presentation

Number of Views:116
Avg rating:3.0/5.0
Slides: 20
Provided by: TheL60
Category:

less

Transcript and Presenter's Notes

Title: Lecture 2: Message Authentication


1
Lecture 2 Message Authentication
  • Anish Arora
  • CSE5473
  • Introduction to Network Security

2
Message authentication
  • message authentication is concerned with
  • protecting the integrity of a message
  • validating identity of originator
  • protecting the order or timeliness of a message
  • message authentication deals with these attacks
  • masquerade
  • content modification
  • sequence modification
  • timing modification
  • In this lecture, we consider three alternative
    functions used for msg. auth.
  • message encryption
  • message authentication code (MAC)
  • hash function
  • and some requirements for designing MAC codes

3
Message encryption provides some authentication
  • if symmetric encryption is used
  • receiver knows sender must have created msg,
    since only senderreceiver know key
  • know content has not been altered
  • if public-key encryption is used
  • encryption provides no confidence of sender
    identity, since potentially every one knows
    public-key
  • however, if
  • sender signs message using their private-key
  • then encrypts with recipients public key
  • we have both secrecy and authentication
  • again need to recognize corrupted messages, but
    at cost of two public-key uses on message

4
Rejecting gibberish when using symmetric
encryption
  • If every ciphertext value corresponds to some
    plaintext value, adversary can fool receiver into
    accepting gibberish
  • An automatic means to detect whether an incoming
    ciphertext decrypts to some meaningful plaintext
    is desirable, but difficult
  • Solution is to give some structure to the
    plaintext
  • example
  • use checksums to separate meaningful text from
    gibberish
  • but checksum must be internal to ciphertext
    (why?)
  • particular choice of structure does not matter
  • e.g. use with TCP headers

5
Checksums
  • Internal versus External
  • IP packets encrypt entire TCP packet TCP header
    contains checksum

6
Message authentication code (MAC)
7
MAC
  • generated by an algorithm that creates a small
    fixed-sized block
  • depending on both the message and the key
  • like encryption, but need not be reversible
    though
  • appended to message
  • receiver performs same computation on message
    checks it matches MAC
  • provides assurance that message is unaltered
    comes from sender, per se does not provide
    encryption or signature
  • so, why use a MAC?
  • sometimes only authentication is needed
  • authentication may be needed longer than
    encryption (e.g. archival use)
  • broadcast only one needs to check, or optional
    check now or later

8
MAC properties
  • a MAC is a cryptographic checksum
  • MAC CK(M)
  • condenses a variable-length message M
  • using a secret key K
  • to a fixed-sized authenticator
  • is a many-to-one function
  • potentially many messages have same MAC
  • but finding these needs to be very difficult

9
A brute force attack on MAC
  • On average, brute-force attack on k-bit key is
    O(2k-1 )
  • With m-bit MAC, say m lt k,
  • given plaintext P and ciphertext C brute-force
    search of all 2k keys, will still yield 2k / 2m
    plausible keys
  • this can be iterated with more plaintexts until
    the key if found, but remains an expensive
    process

10
Requirements for MACs
  • taking into account other types of attacks, we
    need the MAC to satisfy the following
  • knowing a message and MAC, is infeasible to find
    another message with same MAC
  • MACs should be uniformly distributed
  • MAC should depend equally on all bits/parts of
    the message

11
Using symmetric ciphers for MACs
  • can use any block cipher chaining mode and use
    final block as a MAC
  • Data Authentication Algorithm (DAA) is a widely
    used MAC based on DES-Cipher Block Chaining
  • using IV0 and zero-pad of final block
  • encrypt message using DES in CBC mode
  • and send just the final block as the MAC
  • or the leftmost M bits (16M64) of final block
  • but final MAC is now too small for security

12
More recent symmetric cipher options
  • Use AES instead of DES
  • CBC mode requires final encryption with a second,
    independent key to avoid extension attacks
  • Digression NMAC (nested MAC) alternative
  • Output in key space, unlike CBC output in message
    space
  • Cascade function, but not well suited for AES
  • Needs padding with fixed pad, and encryption
    with second, independent key
  • How padding works
  • CMAC NIST standard, CCM mode, uses two keys wrt
    pad/not

13
Message authentication via hash functions
digital signature also
14
Message authentication via hash functions (contd.)
  • Secret value is added before hashing and then
    removed before transmission

15
Message authentication via hash functions
  • Note In scheme (c) hashing M S is more secure
    than hashing S M
  • given the iterative structure of hash functions,
    adversary could extend M with MX and generate
    new hash
  • Diffusing S in the hash of M and S can be
    achieved by using HMAC

16
Keyed hash functions as MACs
  • desirable to create a MAC using a hash function
    rather than a block cipher
  • because hash functions are generally faster
  • not limited by export controls unlike block
    ciphers
  • hash includes a key along with the message
  • original proposal
  • KeyedHash Hash(KeyMessage)
  • some weaknesses were found with this
  • eventually led to development of HMAC

17
HMAC
  • specified as Internet standard RFC2104
  • uses hash function on the message
  • HMACK Hash(K XOR opad)
  • Hash(K XOR ipad)M)
  • where K is the key padded out to size
  • and opad, ipad are specified padding constants
  • overhead is just 3 more hash calculations than
    the message needs alone
  • can use MD-5 or SHA-1

18
HMAC overview
19
HMAC security
  • security of HMAC relates to that of the
    underlying hash algorithm
  • attacking HMAC requires either
  • brute force attack on key used
  • birthday attack (but since keyed would need to
    observe a very large number of messages)
  • choose hash function based on speed vs. security
    constraints
Write a Comment
User Comments (0)
About PowerShow.com