Message Authentication and Hash functions

Basic uses

Basic requirements

Basic attacks

Introduction

• In the context of communication accross a network the following attacks can be identified:1. Disclosure 2. Traffic analysis3. Masquerade

- insertion of messages into the network from a fraudulent source- fraudulent acknowledgement of a message receipt

4. Content modification- insertion, deletion, transposition, modification

5. Sequence modification- modification to a sequence of messages between parties, i-e- reordering

6. Timing modification- delay or replay of messages

7. Repudiation

• Measures against attacks 1 and 2 involve achieving confidentiality.• Measures against attacks 3, 4, 5 and 6 are generally regarded as message

authentication.• Mechanisms dealing specifically with attack 7 use digital signatures.

Introduction

• Message authentication is a procedure to verify that received messages come from the alleged source and have not been altered.

• Also sequencing and timeliness may be authenticated.

Authentication Functions

• Any message authentication or digital signature can be wieved as having two levels– at the lower level there is a function that produces an authenticator: a

value used to authenticate a message.

– higher level authentication protocol uses the authenticator as a primitive to produce authentication service

• There are three types of functions used to produce the authenticator1. Message encryption: the ciphertext of the whole message is the

authenticator

2. Message authentication code MAC: a public function and a secret key produces a fixed length value that is the authenticator

3. Hash function: a public function that maps the message into a fixed-length hash-value serving as authenticator

• MACs and hash-functions can be applied to any length messages.

Authentication functions – message encryption

• Message encryption by itself provides a measure of authentication• Sender authentication in conventional encryption

– general reasoning ”the message must have come form A since he is the only one having the secret key”.

• Authentication against modification is also provided– an opponent without the secret key soes not no how to change the ciphertext in

order that it sill decrypts into a meaningful message– Note: it must be possible for the receiver to tell apart a legitimate plaintext from a

fraudulent one.– Only a small subset of all possible bit patterns are considered legitimate so that

spurious ciphertext is unlikely to produce legitimat plaintext– In general the message needs to have some sort of structure to enable automatic

verification of authenticity.– As an example, an error detecting code or frame check sequence (FCS) can be

added to the message (fig 8.2.)– An other example is the TCP segment which will not decrypt to a meaningful TCP

header. – In the TCP example the structural part also contains useful information, s.a. a

sequence number. Thus also delay, deletion and reordering attacks are detected.

Authentication functions – MACs

• Using a MAC involves the use of a secret key to generate a small fixed size block of data, a cryptographic checksum.

• Communicating parties A and B share a secret key K. The MAC is calculated as MAC = CK(M). The algorithm C is public.

• The MAC is appended to the message. The receiver performs the same calculation for the message using the same secret key and compares the received MAC to the calculated MAC. If they are the same, the message has been authenticated.– The message has not been altered – the attacker can not alter the MAC

correspndingly to the alterations in the message.– The message must be from the alleged sender. A message with a proper

MAC can only be prepared with the secret key.– If the message contains a secuence number, then the receiver can also be

assured of the proper secuence

• Note that a MAC does not provide a digital signature because both the sender and receiver have the same secret key.

Authentication functions – hash functions

• A one-way hash function is a variation on the MAC– A secret key is not used

– Hash function accepts variable sixe message M as input and produces a fixed-size hash code H(M) as output. H(M) is often called a messge digest.

– a hash code is a function of all the bits of the message, thus providing an error detection capability.

• The hash-function itself is not secret, some means is required to protect the hash value.

• The hash-function can be used in a variety of ways to provide message authentication, (see fig.)

MACs

• A function of the message and a secret key MAC = CK(M).

• The brute force attempt to discover the authentication key is no less effort than that required to discover a decryption key of the same length.

• However, other attacks that do not require the discovery of the key are possible. Thus the MAC needs to have a fe properties:

• Requirements for a MAC1. If an opponent observes M and CK(M), it must be infeasible to construct a

message M’ s.t. CK(M’) = CK(M).

2. CK(M) should be uniformly distributed in a sense that for randomly chosen messages M and M’, the propability that CK(M’) = CK(M) is 2-n, where n is the number of bits in the MAC.

3. Let M’ be equal to some known transformation of M, i.e. M’ = f(M). Now it should hold that Pr[CK(M’) = CK(M) ] = 2-n.

MACs

• The first requirement is needed for protection against construction a new message without the knowledge of K yielding the same MAC.

• The second requirement protects against brute force attack based on chosen plaintext. Assume that the opponent does not know K but has access to the MAC function and can present messages for MAC generation. Then wiht a uniform distribution 2(n-1) attempts are needed.

• The third requirement dictates that the algorithm should not be weaker w.r.t certain parts or bits of the message. If this were not the case, then these ”weak spots” could be used to increase the propability of finding a message yieldin the same MAC.

MAC based on DES

• Data Authentication Algorithm, one of the most widely used MACs.• The algorithm uses CBC mode of DES with zero initialization vector.

• The message is grouped into 64-bit blocks D1, D2,..., DN.

• The Data Authentication Code (DAC) is formed using the secret key K as follows:

O1=EK(D1)

O2=EK(D2 O1)

O3=EK(D3 O2)

....

ON=EK(DN ON-1)

This algorithm meets the requirements above.

Hash functions

• A hash value is generated by a one-way function H of the form h = H(M), where M is the variable length message

• Hash functions are in general very complex. Thus we examine simple functions to get a feel on the issues involved.

• Requirements for a hash-function1. H can be applied to a block of any size

2. H produces a fixed length output

3. H(x) is easy to compute for any given x, makin hardware and software implementations possible

4. One-way property: for any given code h it is computationally infeasible to find x such that h =H(x).

5. Weak collision resistance: for any fiven block x it is computationally infeasible to find block y x s.t. H(x) = H(y).

6. Strong collision resistance: it is computationally infeasible to find a pair (y, x) s.t. H(x) = H(y).

• The first three properties are needed for practical use of the hash-function

Hash functions cont...

• The fourth property is needed if the authentication technique involves the use of a secret value S. (fig. 8.5 e) The opponent could learn S from S||M = H-1(C), if he obtains C = H(S||M).

• The weak collision property guarantees that an alternative message yielding the same code can not be found. This prevents forgery when an encrypted hash code is used (fig 8.5.b,c)

• The strong collision property refers to how resistant the hash function is to a class of attacks known as the birthday attack.

Simple hash functions

• All hash-functions operate using the following general principles.

• The input is viewed as a sequence of n-bit blocks. The input is processed one block at a time in an iterative way to produce an n-bit hash-code.

• One of the simplest is Ci = bi1 bi2 ... bim , where is the XOR operation, Ci is the ith bit in the hash code, m is the number of blocks and bij is the ith bit in the jth block.

• This simple code offers no protection if the hash-code is encrypted and the message is not– prepare the alternate message and then append an n-bit block that forces the new

message plus this block to yield the desired hash code.

• Also if both the message and simple hash code are encrypted, an attack to to manipulate the message s.t. it is not detected is possible – left to exercises

• Authentication issues are very complicated as well as attack against authentication measures!

Two simple hash functions, XOR and R-XOR

Birthday Attacks

• In a scenario where an encrypted hash-code is transmitted together with unencrypted message the opponent aims to substitute the message with an alternative one yielding the same hash code to fool the receiver. In other words the opponent needs to find M’ s.t. H(M) = H(M’).

• Suppose a 64-bit hash code is used. Thus the opponent would have to try about 2 63

alternative messages to find one that matches the hash-code?– WRONG!

1. The source A is prepared to sign a message by appending to the message m-bit MAC encrypted with A’s private key (fig 8.5.c)

2. The opponent generates 2m/2 variations of the message, all containing essentially the same information. The opponent also generates 2m/2 variations of the fraudulent message to be be substituted for the real one in the same manner.

3. The two sets of messages are compared to find a pair that yield the same hash code. The propability of finding such a pair is g.t. 0.5 by the birthday paradox.

4. The opponent offers the valid variation to A for signature. Now the message can be substituted for the fraudulent message of the pair. The receiver will not detect the change of the message.

• Thus, with a 64-bit hashcode, only an effort of the order of 232 was needed. • The conclusion is that the length of the hash code should be substatial.

Security of Hash functions and MACs• Brute Force attacks – Hash

– the security depends solely on the length of the hash code.– for a code of length n the effort needed is proportional to the following debending on the properties required for the hash-function:

• Brute Force attacks – MAC– requires known message-MAC pairs

– computational resistance: Given text-MAC pairs (xi, CK(xi)), it is computationallyu infeasible to compute any text-MAC pair (x, CK(x)) for any new input x xi

– Either the key-space or the MAC value can be attacked.– By finding the secret key, attacker can produce a valid MAC for any message. The effort needed to find the key is 2k .– In attacking the MAC the goal is to generate a valit MAC for a specific message, or to find a message that matches a ginven MAC. The effort is comparable to weak-collision resistant property of a hash-code, i.e. 2n .

One way 2n

Weak collision resistance 2n

Strong collision resistance 2n/2

Security of Hash functions and MACs• Cryptanalytic attacks

– these attacks seek to exploit some property of the algorithm to perform an attack other than exhaustive search.

• Cryptanalytic attacks – hash – any hash-function based on CBC is vulnerable– the resistance of the code against birthday attack is proportional to the block length of the used block-cipher (e.g. 64 bits in DES).

• Cryptanalytic attacks – MAC – little work has been done to develope these attacks – resistance greater than the corresponding hash