csce 815 network security lecture 7 message authentication codes and hash functions
Post on 02-Jan-2016
225 Views
Preview:
TRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 7 Lecture 7CSCE 815 Network Security CSCE 815 Network Security Lecture 7 Lecture 7
Message Authentication CodesMessage Authentication Codes
And Hash FunctionsAnd Hash Functions
– 2 – CSCE 815 Sp 03
ResourcesResources
Brown and Johnson SlidesBrown and Johnson Slides
Big IntegersBig Integers C++ http://www.math.utah.edu/docs/info/libg++_20.html Java
http://www.gnu.org/software/classpath/docs/api/java.math.BigInteger.html
http://www.gnu.org/software/classpath/docs/api/java.security.spec.RSAPrivateCrtKeySpec.html
Benton’s RSA spreadsheet Benton’s RSA spreadsheet Class/csce815-001/Handouts/rsa.xls
– 3 – CSCE 815 Sp 03
ReviewReview
Lecture 1 – OverviewLecture 1 – Overview
Lecture 2 – Classical CryptographyLecture 2 – Classical Cryptography
Lecture 3 – DES OverviewLecture 3 – DES Overview
Lecture 4 – DES details (ref Brown)Lecture 4 – DES details (ref Brown)
Lecture 5 – Lecture 5 – (AES) Rijndael overview, (AES) Rijndael overview, Message Authentication, MAC
Lecture 6 –Lecture 6 – Public Key Encryption, RSA Public Key Encryption, RSA
– 4 – CSCE 815 Sp 03
Assignment 1 Due Feb 12Assignment 1 Due Feb 12
Decipher – Decipher – Ciphertext1 (produced with MonoAlph) Ciphertext2 (produced with Perm; n < 10) Ciphertext3 (produced Perm(MonoAlph(P)))
In doing this you should write a program that will In doing this you should write a program that will enable you to do statistical analysis of the enable you to do statistical analysis of the ciphertextsciphertexts
Then you may modify or use MonoAlph.c and perm.c to Then you may modify or use MonoAlph.c and perm.c to aid in decodingaid in decoding
– 5 – CSCE 815 Sp 03
Assignment 2 Due Feb 17Assignment 2 Due Feb 17
Page 83 problem 3.2Page 83 problem 3.2
Page 83 problem 3.5Page 83 problem 3.5
Page 84 problem 3.7Page 84 problem 3.7
– 6 – CSCE 815 Sp 03
Number Theory ReviewNumber Theory Review
Lawrie Brown slides – Chapter 8Lawrie Brown slides – Chapter 8
Primes – prime factorizationPrimes – prime factorization
Relatively Prime Numbers & GCDRelatively Prime Numbers & GCD
Fermat's Theorem: Fermat's Theorem: aap-1p-1 mod p = 1 mod p = 1
Euler Totient Function Euler Totient Function ø(n)ø(n)
Euler's Theorem: Euler's Theorem: aaø(n)ø(n)mod N = 1mod N = 1
Miller Rabin Algorithm: Primality TestingMiller Rabin Algorithm: Primality Testing
– 7 – CSCE 815 Sp 03
Prime NumbersPrime Numbers
prime numbers only have divisors of 1 and self prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers note: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are noteg. 2,3,5,7 are prime, 4,6,8,9,10 are not
prime numbers are central to number theoryprime numbers are central to number theory
list of prime number less than 200 is: list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199
– 8 – CSCE 815 Sp 03
Prime FactorisationPrime Factorisation
to to factorfactor a number a number nn is to write it as a product of other is to write it as a product of other numbers: numbers: n = a × b × cn = a × b × c
note that factoring a number is relatively hard note that factoring a number is relatively hard compared to multiplying the factors together to compared to multiplying the factors together to generate the number generate the number
thethe prime factorisation prime factorisation of a number of a number nn is when its written is when its written as a product of primes as a product of primes eg. 91=7×13 ; 3600=24×32×52
– 9 – CSCE 815 Sp 03
Relatively Prime Numbers & GCDRelatively Prime Numbers & GCD
two numbers two numbers a, ba, b are are relatively primerelatively prime if have if have no common no common divisorsdivisors apart from 1 apart from 1 eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8
and of 15 are 1,3,5,15 and 1 is the only common factor
conversely can determine the greatest common divisor conversely can determine the greatest common divisor by comparing their prime factorizations and using by comparing their prime factorizations and using least powersleast powers eg. 300=21×31×52 18=21×32 hence GCD(18,300)=21×31×50=6
– 10 – CSCE 815 Sp 03
Fermat's TheoremFermat's Theorem
aap-1p-1 mod p = 1 mod p = 1 where p is prime and gcd(a,p)=1
also known as Fermat’s Little Theoremalso known as Fermat’s Little Theorem
useful in public key and primality testinguseful in public key and primality testing
– 11 – CSCE 815 Sp 03
Euler Totient Function ø(n)Euler Totient Function ø(n)
when doing arithmetic modulo n when doing arithmetic modulo n
complete set of residuescomplete set of residues is: is: 0..n-10..n-1
reduced set of residuesreduced set of residues is those numbers is those numbers (residues) which are relatively prime to n (residues) which are relatively prime to n eg for n=10, complete set of residues is {0,1,2,3,4,5,6,7,8,9} reduced set of residues is {1,3,7,9}
number of elements in reduced set of residues number of elements in reduced set of residues is called the is called the Euler Totient Function ø(n)Euler Totient Function ø(n)
– 12 – CSCE 815 Sp 03
Euler Totient Function ø(n)Euler Totient Function ø(n)
to compute ø(n) need to count number of to compute ø(n) need to count number of elements to be excludedelements to be excluded
in general need prime factorization, butin general need prime factorization, but for p (p prime) ø(p) = p-1 for p.q (p,q prime) ø(p.q) = (p-1)(q-1)
eg.eg. ø(37) = 36 ø(21) = (3–1)×(7–1) = 2×6 = 12
– 13 – CSCE 815 Sp 03
Euler's TheoremEuler's Theorem
a generalisation of Fermat's Theorem a generalisation of Fermat's Theorem
aaø(n)ø(n)mod N = 1 mod N = 1 where gcd(a,N)=1
eg.eg.a=3;n=10; ø(10)=4; hence 34 = 81 = 1 mod 10a=2;n=11; ø(11)=10;hence 210 = 1024 = 1 mod 11
– 14 – CSCE 815 Sp 03
Primality TestingPrimality Testing
often need to find large prime numbers often need to find large prime numbers
traditionally traditionally sievesieve using using trial divisiontrial division ie. divide by all numbers (primes) in turn less than
the square root of the number only works for small numbers
alternatively can use statistical primality tests alternatively can use statistical primality tests based on properties of primes based on properties of primes for which all primes numbers satisfy property but some composite numbers, called pseudo-
primes, also satisfy the property
– 15 – CSCE 815 Sp 03
Miller Rabin AlgorithmMiller Rabin Algorithm
a test based on Fermat’s Theorema test based on Fermat’s Theorem
algorithm is:algorithm is:TEST (n) is:1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq2. Select a random integer a, 1<a<n–13. if aq mod n = 1 then return (“maybe prime");4. for j = 0 to k – 1 do
5. if (a2jq mod n = n-1)
then return(" maybe prime ")6. return ("composite")
– 16 – CSCE 815 Sp 03
Probabilistic ConsiderationsProbabilistic Considerations
if Miller-Rabin returns “composite” the if Miller-Rabin returns “composite” the number is definitely not primenumber is definitely not prime
otherwise is a prime or a pseudo-primeotherwise is a prime or a pseudo-prime
chance it detects a pseudo-prime is < ¼chance it detects a pseudo-prime is < ¼
hence if repeat test with different random hence if repeat test with different random a then chance n is prime after t tests is:a then chance n is prime after t tests is:Pr(n prime after t tests) = 1-4-t
eg. for t=10 this probability is > 0.99999
– 17 – CSCE 815 Sp 03
Message AuthenticationMessage Authentication
message authentication is concerned with: message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution)
will consider the security requirementswill consider the security requirements
then three alternative functions used:then three alternative functions used: message encryption message authentication code (MAC) hash function
– 18 – CSCE 815 Sp 03
Approaches to Message AuthenticationApproaches to Message Authentication
Authentication Using Conventional EncryptionAuthentication Using Conventional Encryption Only the sender and receiver should share a key
Message Authentication without Message EncryptionMessage Authentication without Message Encryption An authentication tag is generated and appended to each
message
Message Authentication CodeMessage Authentication Code Calculate the MAC as a function of the message and the key.
MAC = F(K, M)
– 19 – CSCE 815 Sp 03
Message Authentication Code (MAC)Message Authentication Code (MAC)
generated by an algorithm that creates a small fixed-generated by an algorithm that creates a small fixed-sized blocksized block depending on both message and some key like encryption though need not be reversible
appended to message as a appended to message as a signaturesignature
receiver performs same computation on message and receiver performs same computation on message and checks it matches the MACchecks it matches the MAC
provides assurance that message is unaltered and provides assurance that message is unaltered and comes from sendercomes from sender
– 21 – CSCE 815 Sp 03
Message Authentication CodesMessage Authentication Codes
as shown the MAC provides confidentialityas shown the MAC provides confidentiality
can also use encryption for secrecycan also use encryption for secrecy generally use separate keys for each can compute MAC either before or after encryption is generally regarded as better done before
why use a MAC?why use a MAC? sometimes only authentication is needed sometimes need authentication to persist longer
than the encryption (eg. archival use)
note that a MAC is not a digital signaturenote that a MAC is not a digital signature
– 22 – CSCE 815 Sp 03
MAC PropertiesMAC Properties
a MAC is a cryptographic checksuma MAC is a cryptographic checksumMAC = CK(M)
condenses a variable-length message M using a secret key K to a fixed-sized authenticator
is a many-to-one functionis a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult
– 23 – CSCE 815 Sp 03
Requirements for MACsRequirements for MACs
taking into account the types of attackstaking into account the types of attacks
need the MAC to satisfy the following:need the MAC to satisfy the following:1. knowing a message and MAC, is infeasible to
find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message
– 24 – CSCE 815 Sp 03
Using Symmetric Ciphers for MACsUsing Symmetric Ciphers for MACs
can use any block cipher chaining mode and can use any block cipher chaining mode and use final block as a MACuse final block as a MAC
Data Authentication Algorithm (DAA)Data Authentication Algorithm (DAA) is a widely is a widely used MAC based on DES-CBCused MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC
or the leftmost M bits (16≤M≤64) of final block
but final MAC is now too small for securitybut final MAC is now too small for security
– 25 – CSCE 815 Sp 03
One Way Hash FunctionsOne Way Hash Functions
Alternative to MACAlternative to MAC
As with MAC condenses arbitrary message to fixed size As with MAC condenses arbitrary message to fixed size
usually assume that the hash function is public and not usually assume that the hash function is public and not keyedkeyed cf. MAC which is keyed
hash used to detect changes to messagehash used to detect changes to message
can use in various ways with messagecan use in various ways with message
most often to create a digital signaturemost often to create a digital signature
– 27 – CSCE 815 Sp 03
One-way HASH functionOne-way HASH function
Secret value is added before the hash and removed Secret value is added before the hash and removed before transmission.before transmission.
– 28 – CSCE 815 Sp 03
Simple Hash FunctionsSimple Hash Functions
There are several proposals for simple functionsThere are several proposals for simple functions
Based on XOR of message blocks Based on XOR of message blocks
But predictability in data causes problemsBut predictability in data causes problems
e.g., text which is ASCII has leading 0e.g., text which is ASCII has leading 0
not secure since can manipulate any message and not secure since can manipulate any message and either not change hash or change hash alsoeither not change hash or change hash also
need a stronger cryptographic functionneed a stronger cryptographic function
– 29 – CSCE 815 Sp 03
Simple Hash FunctionSimple Hash Function
One-bit circular shift on the hash value after each block is One-bit circular shift on the hash value after each block is processed would improveprocessed would improve
– 30 – CSCE 815 Sp 03
Secure HASH FunctionsSecure HASH Functions
Purpose of the HASH function is to produce a “fingerprint.”Purpose of the HASH function is to produce a “fingerprint.”
Properties of a HASH function H :Properties of a HASH function H :1. H can be applied to a block of data at any size2. H produces a fixed length output3. H(x) is easy to compute for any given x.
4. One way property - For any given block x, it is computationally infeasible to find x such that H(x) = h
5. Weak Collision Resistance Property - For any given block x, it is computationally infeasible to find with H(y) = H(x).
6. Strong Collision Resistance Property - It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) xy
– 31 – CSCE 815 Sp 03
Secure Hash Algorithm (SHA-1)Secure Hash Algorithm (SHA-1)
SHA was designed by NIST & NSA in 1993, revised 1995 SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1as SHA-1
US standard for use with DSA signature scheme US standard for use with DSA signature scheme standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS
produces 160-bit hash values produces 160-bit hash values
now the generally preferred hash algorithm now the generally preferred hash algorithm
based on design of MD4 with key differences based on design of MD4 with key differences
– 32 – CSCE 815 Sp 03
SHA OverviewSHA Overview
pad message so its length is 448 mod 512 pad message so its length is 448 mod 512
append a 64-bit length value to messageappend a 64-bit length value to message
initialize 5-word (160-bit) buffer (A,B,C,D,E) to initialize 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
process message in 16-word (512-bit) chunks:process message in 16-word (512-bit) chunks: expand 16 words into 80 words by mixing & shifting use 4 rounds of 20 bit operations on message block & buffer add output to input to form new buffer value
output hash value is the final buffer value output hash value is the final buffer value
– 34 – CSCE 815 Sp 03
SHA-1 Processing of single 512-Bit BlockSHA-1 Processing of single 512-Bit Block
– 35 – CSCE 815 Sp 03
Other Secure HASH functions- table 3.1Other Secure HASH functions- table 3.1
SHA-1SHA-1 MD5MD5 RIPEMD-160RIPEMD-160
Digest lengthDigest length 160 bits160 bits 128 bits128 bits 160 bits160 bits
Basic unit of Basic unit of processingprocessing
512 bits512 bits 512 bits512 bits 512 bits512 bits
Number of stepsNumber of steps 80 (4 rounds of 80 (4 rounds of 20)20)
64 (4 rounds 64 (4 rounds of 16)of 16)
160 (5 paired 160 (5 paired rounds of 16)rounds of 16)
Maximum message Maximum message sizesize
226464-1 bits-1 bits
– 36 – CSCE 815 Sp 03
HMACHMAC
Use a MAC derived from a cryptographic hash code, Use a MAC derived from a cryptographic hash code, such as SHA-1such as SHA-1..
Motivations:Motivations:
Cryptographic hash functions executes faster in software than encryption algorithms such as DES
Library code for cryptographic hash functions is widely available
No export restrictions from the US
– 37 – CSCE 815 Sp 03
HMAC Design ObjectivesHMAC Design Objectives
Proposal to include secret key in hash functionProposal to include secret key in hash function
RFC 2104 lists design objectives for HMACRFC 2104 lists design objectives for HMAC
1.1. To use available hash functionsTo use available hash functions
2.2. Allow easy replaceability of hash functionAllow easy replaceability of hash function
3.3. Maintain performance of original hashMaintain performance of original hash
4.4. Use and handle keys simplyUse and handle keys simply
5.5. Have well understood cryptographic analysis of Have well understood cryptographic analysis of strength of the authentication methodstrength of the authentication method
– 39 – CSCE 815 Sp 03
Other Public-Key Cryptographic AlgorithmsOther Public-Key Cryptographic Algorithms
Digital Signature Standard (DSS)Digital Signature Standard (DSS) Makes use of the SHA-1 Not for encryption or key echange
Elliptic-Curve Cryptography (ECC)Elliptic-Curve Cryptography (ECC) Good for smaller bit size Low confidence level, compared with RSA Very complex
– 40 – CSCE 815 Sp 03
Birthday AttacksBirthday Attacks
You might think a 64-bit hash is secureYou might think a 64-bit hash is secure
But by Birthday Paradox is notBut by Birthday Paradox is not
The Birthday attackThe Birthday attack works thus:works thus: opponent generates 2
m/2 variations of a valid message all with essentially the same meaning
opponent also generates 2m/2 variations of a
desired fraudulent message two sets of messages are compared to find pair
with same hash (probability > 0.5 by birthday paradox)
have user sign the valid message, then substitute the forgery which will have a valid signature
Conclusion is that need to use larger MACsConclusion is that need to use larger MACs
– 41 – CSCE 815 Sp 03
Other Secure Hash FunctionsOther Secure Hash Functions
MD5 Message Digest AlgorithmMD5 Message Digest Algorithm
RFC 1321 Ron RivestRFC 1321 Ron Rivest
128 bit message digest128 bit message digest
with faster processors security has become questionablewith faster processors security has become questionable
RIPEMD-160 RoundRIPEMD-160 Round
European groupEuropean group
produces 160 bit digestproduces 160 bit digest
processes text in 512 bit blocksprocesses text in 512 bit blocks
– 42 – CSCE 815 Sp 03
SummarySummary
have considered:have considered: message authentication using message encryption MACs hash functions some current hash algorithms: MD5, SHA-1, RIPEMD-160 HMAC authentication using hash function
– 43 – CSCE 815 Sp 03
SHA-1 Compression FunctionSHA-1 Compression Function
each round has 20 steps which replaces the 5 buffer each round has 20 steps which replaces the 5 buffer words thus:words thus:(A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)
a,b,c,d refer to the 4 words of the buffera,b,c,d refer to the 4 words of the buffer
t is the step numbert is the step number
f(t,B,C,D) f(t,B,C,D) is nonlinear function for roundis nonlinear function for round
WWt t is derived from the message block is derived from the message block
KKtt is a constant value derived from sin is a constant value derived from sin
– 44 – CSCE 815 Sp 03
Keyed Hash Functions as MACsKeyed Hash Functions as MACs
have desire to create a MAC using a hash function rather than a have desire to create a MAC using a hash function rather than a block cipherblock cipher because hash functions are generally faster not limited by export controls unlike block ciphers
hash includes a key along with the messagehash includes a key along with the message
original proposal:original proposal:
KeyedHash = Hash(Key|Message) some weaknesses were found with this
eventually led to development of HMAC eventually led to development of HMAC
top related