Upload
lowri
View
49
Download
0
Tags:
Embed Size (px)
DESCRIPTION
• Masquerade – message insertion, fraud, ACK • Content Modification • Sequence Modification – insertion, deletion, re-ordering • Timing Modification – delay, replay. MESSAGE AUTHENTICATION and HASH FUNCTIONS - Chapter 11. - PowerPoint PPT Presentation
Citation preview
MESSAGE AUTHENTICATION andMESSAGE AUTHENTICATION and HASH FUNCTIONS - Chapter 11 HASH FUNCTIONS - Chapter 11
• Masquerade – message insertion, fraud, ACK
• Content Modification• Sequence Modification
– insertion, deletion, re-ordering• Timing Modification
– delay, replay
AUTHENTICATIONAUTHENTICATION
• Message Encryption – EK (M)• Message Authentication Code (MAC) – CK(M)• Hash Function – H(M)
BASIC USES OF MESSAGE ENCRYPTION
D estination BSour ce A
M
K
E
(a) Symmetric encryption: confidentiality and authentication
D M
K
F igur e 11.1 B asic U ses of M essage E ncr yption
M
K U b
K U b
E
(b) Public-key encryption: confidentiality
E K U b(M )
E K (M )
E K R a(M )
E K R a(M ) E K R a
(M )
E K U b[E K R a
(M )]
E K U b[E K R a
(M )]
D M
M E D M
M E D M
(c) Public-key encryption: authentication and signature
(d) Public-key encryption: confidentiality, authentication, and signature
E D
K U aK R a
K R b
K R bK R a K U a
INTERNAL AND EXTERNAL ERROR CONTROL
Destination BSour ce A
F igur e 11.2 I nter nal and E xter nal E r ror C ontrol
K
M | |
F
(a) Internal error control
MD
K
F
C ompare
EM
F (M ) F(M )
M | |E
(b) External error control
D
K
F
C ompare
K
F
E K [M ]
F (E K [M ])
E K [M ]
E K [M || F (M )]
M
STRUCTURESTRUCTUREFig 11.1a : Legitimacy test at B (intelligible)
- small subset of plaintext legitimate- structured
Fig 11.2a : Structured redundancy via FCS- internal ECC- authentication
Fig 11.2b : External ECC – opponent can construct code words
- authenticationAny ’structure’ will do
e.g. Fig 11.3
BASIC USES OF MESSAGE ENCRYPTION
D estination BSour ce A
M
K
E
(a) Symmetric encryption: confidentiality and authentication
D M
K
F igur e 11.1 B asic U ses of M essage E ncr yption
M
K U b
K U b
E
(b) Public-key encryption: confidentiality
E K U b(M )
E K (M )
E K R a(M )
E K R a(M ) E K R a
(M )
E K U b[E K R a
(M )]
E K U b[E K R a
(M )]
D M
M E D M
M E D M
(c) Public-key encryption: authentication and signature
(d) Public-key encryption: confidentiality, authentication, and signature
E D
K U aK R a
K R b
K R bK R a K U a
PUBLIC-KEYPUBLIC-KEY Fig 11.1b : Confidentiality
Fig 11.1c : Authentication - plaintext needs structure
Signature - only A could have sent, not even B
Fig 11.1 : Confidentality / Authentication Table 11.1
TCP SEGMENT
Sour ce P or t Destination P or t
C heck sum U r gent P ointer
Sequence N umber
A ck now ledgement N umber
O ptions + P adding
A pplication D ata
R eser ved F lags W indowDataoffset
0B it: 4 10 16 312
0 o
ct
et
s
F igur e 11.3 T C P Segment
BASIC USES of MESSAGE AUTHENTICATION CODE (MAC)
Destination BSour ce A
M | |
K
C
(a) M essage authentication
M E| |
(c) M essage authentication and confidentiality; authentication tied to ciphertext
F igur e 11.4 B asic U ses of M essage A uthentication C ode (M A C )
M
C K (M )
E K 2[M || C K 1(M )]
C K 1(M )
C K 1[E K 2(M )]
E K 2[M ]
C
CompareK
EM | |
K 1K 2 K 2
K 2 K 2
K 1
K 1
K 1
C
(b) M essage authentication and confidentiality; authentication tied to plaintext
MDC
C ompare
C
C
Compare
DM
MACMAC
A, B share key, KMAC =CK(M)Transmit message + MAC (Fig 11.4a)MAC not necessarily reversible- less vulnerable than encryption
BASIC USES of MESSAGE AUTHENTICATION CODE (MAC)
Destination BSour ce A
M | |
K
C
(a) M essage authentication
M E| |
(c) M essage authentication and confidentiality; authentication tied to ciphertext
F igur e 11.4 B asic U ses of M essage A uthentication C ode (M A C )
M
C K (M )
E K 2[M || C K 1(M )]
C K 1(M )
C K 1[E K 2(M )]
E K 2[M ]
C
CompareK
EM | |
K 1K 2 K 2
K 2 K 2
K 1
K 1
K 1
C
(b) M essage authentication and confidentiality; authentication tied to plaintext
MDC
C ompare
C
C
Compare
DM
Authentication + Confidentiality
Figs 11.4b and 11.4c - Two separate keys (Table 11.2) - Fig 11.4b preferred
Use MAC, not conventional Encryption - MAC gives no signature - sender/receiver share key
Authentication + Confidentiality SCENARIOS
1. Broadcast message – one destination monitors authenticity
2. Heavy load – selective authentication3. SporadicAuthentication of computer program4. Secrecy Unimportant5. Separation of authentication and confidentiality - flexible6. Prolong protection against modification
14
BASIC USES OF HASH FUNCTION
E
K
M
H
| | D
K
M
H(M )
H
C ompare
(a)
M
H
| |
K
K Ra K U a
(b)
M
D
H
C ompareK
F igur e 11.5 B asic U ses of H ash F unction (page 1 of 2)
E
M
H
| |
(c)
M
E D
H
C ompare
E K [M || H (M )]
E K [H (M )]
E KR a[H (M )]
D estination BSour ce A
15
BASIC USES OF HASH FUNCTION
| |S
M
H
| | E
K R a K U a
E
K
D
K
M
D
H
C ompare
(d)
M
H
| |
S(e)
| |
M
H(M || S)
H(M || S)
H
C ompare
M
H
| |
S(f)
| |
E
K
| |S H
Compare
MD
K
F igur e 11.5 B asic U ses of H ash F unction (page 2 of 2)
E K R a[H (M )]
E K [M || E KR a[H (M )] ]
E K [M || H (M || S) ]
D estination BSour ce A
1616
HASH FUNCTIONSHASH FUNCTIONS variable size variable size fixed size fixed size
MM H(M)H(M)
MM||H(M)H(M) (error detection) (error detection)
Fig 11.5 – Table 11-3Fig 11.5 – Table 11-3
(b) and (c) require less computation(b) and (c) require less computation
(e) - no encryption(e) - no encryption
1717
FOR AUTHENTICATION: FOR AUTHENTICATION: COMPARE HASH WITH COMPARE HASH WITH
ENCRYPTION ENCRYPTION
Encryption is:• Slow• Costly in hardware• Optimised for large data blocks• Patented• Export control
1818
MACMACMAC = CMAC = CKK(M)(M) many-to-onemany-to-one, domain is , domain is arbitrary lengtharbitrary lengthAttack:Attack: MAC MAC collisionscollisions : 2 : 2kk keys, 2 keys, 2nn MACs, 2 MACs, 2nn < 2 < 2k k
Many keys for one MAC : opponent cannot Many keys for one MAC : opponent cannot choose choose
Opponent must Opponent must iterate attackiterate attack for many MACs: for many MACs: Round 1 : 2Round 1 : 2k-nk-n keys keys Round 2 : 2Round 2 : 2k-2nk-2n keys keys .. .. .... .. .. Round r : 1 key Round r : 1 key
1919
MAC PROPERTIESMAC PROPERTIES1.1. Given M and CGiven M and CKK(M),(M),
too much worktoo much work to construct M’ such that, to construct M’ such that,
CCKK(M’) = C(M’) = CKK(M)(M)
2. C2. CKK(M) (M) uniformly distributeduniformly distributed::
pr(Cpr(CKK(M) = C(M) = CKK(M’)) = 2(M’)) = 2-n-n
20
DATA AUTHENTICATION ALGORITHM (CBC Mode)
¥ ¥ ¥
F igur e 11.6 D ata A uthentication A lgor ithm (F I P S P U B 113)
T ime = 1
DE SE ncryptK
(56 bits)
T ime = 2
DE SE ncryptK
+
T ime = N
DE SE ncrypt
+
DE SE ncrypt
T ime = N Ð 1
+
K
(64 bits)
D 1 D 2 D NÐ1
O 1 O 2 O N
D N
O NÐ1
(64 bits)
DA C(16 to 64 bits)
K
2121
HASH FUNCTIONSHASH FUNCTIONSh = H(x) - file fingerprinth = H(x) - file fingerprint
Properties:Properties:
1. Any size input1. Any size input
2. Fixed-size output2. Fixed-size output
3. H(x) easy to compute3. H(x) easy to compute
4. Infeasible to compute x given h – 4. Infeasible to compute x given h – (one-way) (one-way) – 2– 2nn
5. 5. (Weak Collision Resistance) (Weak Collision Resistance) – 2– 2nn
Given x, infeasible to compute y not equal to x Given x, infeasible to compute y not equal to x such that, H(y) such that, H(y) = H(x) - prevents forgery= H(x) - prevents forgery
6. 6. (Strong Collision Resistance) (Strong Collision Resistance) – 2– 2n/2n/2
Infeasible to find (x,y) such that H(x) = H(y)Infeasible to find (x,y) such that H(x) = H(y)
- - Birthday AttackBirthday Attack
2222
BIRTHDAY ATTACKBIRTHDAY ATTACK Given M , find M’ such that H(M’) = H(M)Given M , find M’ such that H(M’) = H(M)
~ 2~ 2n-1n-1 hashes hashes
But (Fig 11.5c),But (Fig 11.5c),• Prepare 2Prepare 2n/2n/2 variations of M variations of M• Prepare 2Prepare 2n/2n/2 variations of M’ variations of M’• Search for H(M) = H(M’)Search for H(M) = H(M’)• Pr(success) > 0.5 using 2Pr(success) > 0.5 using 2n/2n/2 hashes hashes• A signs M A signs M H(M) H(M)• Opponent Opponent substitutessubstitutes M’ for M M’ for M• A encrypts A encrypts M’M’||H(M)H(M)
2323
MEET-IN-THE-MIDDLEMEET-IN-THE-MIDDLE ATTACKATTACK• Block ChainingBlock Chaining
Given M = MGiven M = M11 | M | M22 | ………| M | ………| MNN
HH00 = init = init
HHii = E = EMMii[H[Hi-1i-1]]
G = HG = HNN
Opponent has Opponent has MM and encrypted signature, and encrypted signature, GG• Construct arbitrary messageConstruct arbitrary message QQ11 | Q | Q22 | …….| Q | …….| QN-2N-2
• Compute HCompute Hii = E = EQiQi[H[Hi-1i-1]] up to H up to HN-2N-2
• Find X,YFind X,Y such that E such that EXX[H[HN-2N-2] = D] = DYY[G] (prob 2[G] (prob 2n/2n/2))• ConstructConstruct Q Q11 | Q | Q22 | ….| Q | ….| QN-2N-2 | X | Y = M’ | X | Y = M’• SubstituteSubstitute M’ for M M’ for M
2424
BRUTE-FORCE BRUTE-FORCE ATTACKSATTACKS
Hash : Hash : 22n/2n/2
MAC : MAC : min(2min(2kk,2,2nn)) - like symmetric encryp.- like symmetric encryp.
25
SECURE HASH CODE
f fnn n
I V =C V 0 CV 1
b
n
C V L Ð1
C V Ln
b
Y 0 Y 1 Y L Ð1
IV = Initial valueC V = chaining variableY i = ith input blockf = compression algorithmL = number of input blocksn = length of hash codeb = length of input block
F igur e 11.10 G ener al Structur e of Secur e H ash C ode
b
f
If compression function collision-resistant then so is iterated hash function
26
THE BIRTHDAY PARADOX1.0
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0.0
706050403020100k
P(
36
5,
k)
F igur e 11.11 T he B irthday P ar adox