Transcript 544 Computer and Network Security

453 Network Security
Section 3a: Message Authentication
and Public-Key Cryptography
Dr. E.C. Kulasekere
Sri Lanka Institute of Information
Technology - 2006
Outline
• Message authentication vs. message
confidentiality. Both required?
• Authentication methods
– Hash functions
– Secure hash function
– Message authentication code (MAC)
•
•
•
•
Public-key cryptography principles.
Public-key cryptography algorithms.
Digital signatures / implementation.
Key management techniques.
Cryptography and Security
Intruders, eavesdroppers and masqueraders in communication. A
threat on message confidentiality and authentication
Confidentiality Vs. Authentication (1)
• Confidentiality safeguards your information
from being viewed by others.
• This is protecting message content. Stop
interception.
• Authentication verifies the integrity of data
as well as verifying the sender.
• This can stop fabrication/Modification
Confidentiality Vs. Authentication (2)
• Authentication is arguably more important
that message confidentiality (secrecy) in
eCommerce applications.
• Generically encryption protects against
passive attacks such as eavesdropping.
• Authentication provides protection against
active attacks such as falsification and
fabrication of data.
Authentication Without Confidentiality
• Is it desirable only to have authentication
while ignoring message confidentiality?
• Example situation; civilian email versus
military email.
• There are applications in which the same
message is broadcast to a number of
destinations. The content need not be
secret but they need to be authenticated.
Eg. ?
Example Situations
• Another scenario is if a system is handling
a heavy load of messages and it cannot
afford to spend time decrypting. The
system will selectively decrypt to
authenticate.
• Authentication of computer programs etc.
Each time you use it its easier to
authenticate a tag rather than go through a
decryption program every time.
Primary Concerns of Authentication (1)
• Message came from apparent source or
author – Source Authentication
• Contents have not been altered –
Message Authentication
• Message timeliness or the sequence in
which it was sent is not disturbed (it has
not been artificially delayed or replayed).
Primary Concerns of Authentication (2)
• The above will be based on attacks such
as
– Disclosure
– Traffic analysis
– Masquerading
– Fabrication
– Sequence and timing modifications
Approaches to Message
Authentication
• Broadly categorized into two methods,
ones that uses encryption and ones that
do not.
• Approaches
– One that uses a key and encryption of
message
– One that does not use a key.
– One that uses a key but no encryption of the
message
Authentication Categories
• Authentication using conventional encryption:
Only the sender and receiver should share a key
which will provide the necessary authentication.
• Message authentication without message
encryption: An authentication tag is generated
and attached to the message. Message
confidentiality is not guaranteed since the
message is not encrypted.
• Message Authentication code: Calculate the
MAC as a function of the message and the key.
Authentication Based on Message
Encryption
• message encryption by itself also provides
a measure of authentication. The analysis
differs for symmetric and asymmetric
encryption schemes.
• if symmetric encryption is used then:
– receiver know sender must have created it
– since only sender and receiver now key used
– know content cannot of been altered
– if message has suitable structure, redundancy
or a checksum to detect any changes
Authentication Based on Message
Encryption …
Symmetric encryption: confidentiality and authentication provided
Authentication Based on Message
Encryption …
• if public-key encryption is used:
– encryption provides confidentiality but not
authentication of sender
– since anyone potentially knows public-key
– however if
• sender signs message using their private-key
• then encrypts with recipients public key
• have both secrecy and authentication
– again need to recognize corrupted messages
• Measure of error control can be used.
– but at cost of two public-key used on message
Authentication Based on Message
Encryption …
• This is the straightforward use of public key encryption.
Source A uses the public key KUb of the destination to
encrypt M
• This scheme does not provide any authentication
because any opponent could also use B’s public key to
encrypt a message claiming to be A
• B can decrypt at the destination because he is the only
one who has the private key KRb
Authentication Based on Message
Encryption …
•
•
•
•
To provide the authentication part A uses its private key to encrypt the
message, and B uses A’s public key to decrypt to authenticate.
The principle here is similar to the digital signature principle.
The reasoning is that A should be the only one who as A’s private key to
generate that ciphered text.
However this does not provide confidentiality since anyone with A’s public
key can decrypt and see the message.
Authentication Based on Message
Encryption …
• To provide both confidentiality and authentication, A can
encrypt M first using its private key (the digital signature),
then use B’s public key which will provide confidentiality.
• The only disadvantage is that the public key algorithm,
which is complex must be exercises four times rather
than two in each communication.
Authentication Based on Message
Authentication Code (MAC)
• generated by an algorithm that creates a small
fixed-sized block
– depending on both message and some key
– like encryption though need not be reversible
• receiver performs same computation on
message and checks it matches the MAC. (Note
that the MAC is not decoded hence cannot be
used for anything).
• provides assurance that message is unaltered
and comes from sender
MAC Implementation
Requirements for MAC
• Take into account the type of attacks
– Brute force attack may not be feasible to
attack MAC code.
– See MAC write-up for reasons
• Need a MAC to satisfy the following
– knowing a message and MAC, is infeasible
to find another message with same MAC
– MACs should be uniformly distributed.
– MAC should depend equally on all bits of the
message.
Features of MAC
• As shown the MAC provides confidentiality.
• The receiver is assured that the message is
not altered.
• The attacker cannot alter the message
without altering the MAC.
• Since the secret key is not known MAC
cannot be altered and will be found out at
matching at receiver.
• As a result the receiver is assured that it
came from the sender.
Features of MAC …
• can also use encryption for secrecy
– generally use separate keys for each
– can compute MAC either before or after
encryption
– is generally regarded as better done before
• The message sequence number is also
coded into the MAC, hence replay attacks
and timing attacks are also not possible.
Features of MAC …
• why use a MAC?
– sometimes only authentication is needed
– sometimes need authentication to persist
longer than the encryption (eg. archival use)
• Note that MAC is not a digital signature,
rather a cryptographic checksum.
MAC Implementations
Message Authentication
MAC Implementations
Message Authentication and
Confidentiality: Authentication Tied to plaintext
MAC Implementations
Message Authentication and
Confidentiality: Authentication Tied to ciphertext
MAC Based on DES
1. Based on CBC with IV set to zero
2. Block size is 64. The last block may be padded with zeros to make a 64-bit
block
3. The data authentication code (DAC) consists of all O_N blocks or the last
one. It can also be the left most M bits of the last block too. Remember that
the MAC need not be reversible as in the case of encryption. We need to
compare only.
Authentication Based on Hash (1)
• Variation of MAC known as one way
hash functions can be used for
authentication.
• Unlike the MAC, the hash function does
not require a secret key.
• The Hash function accepts a variable
size message and outputs a fixed size
message digest H(M).
Authentication Based on Hash (2)
• To authenticate a message, the message
digest is sent with the message in such a
way that the message digest is authentic.
• hash used to detect changes to message
• can use in various ways with message
– Using conventional encryption
– Using public-key encryption
– Using secret value
• Hash function itself is not considered to be
secret. Hence systems described in the
previous slides or the ones that follow have
to be used to protect the hash.
One way Hash Authentication using
Conventional Encryption
• Based on the assumption that only the sender and
receiver have the secret key.
• Hence authenticity is assured.
• The entire message is not encrypted.
One-Way Hash Function Authentication
Using Public-Key Encryption
• This will provide a digital signature as well as
message authentication.
• Advantage is that it does not require the distribution
of keys to communicating parties.
• The entire message is not encrypted.
One-Way Hash Function Authentication
Using Secret Value
• No encryption for message authentication.
• The communicating parties share a common secret value that
is coded into the message.
• Since the secret value itself is not sent, it is hard for the
attacker to modify the intercepted message.
• Authentication is provided but no confidentiality is provided.
Variants of Hash Functions:
Encrypt Message Plus Hash Code
• Both message and hash code encrypted.
• The message must have come from A if it is not
altered (checked using hash) since only A and B
have access to the secret key.
• Confidentiality is provided since the encryption is
applied to both hash + normal message.
Variants of Hash Functions:
Encrypted Hash Code – Shared Key
• Only hash code is encrypted using symmetric
encryption.
• Authentication is provided but not confidentiality.
• Reduces processing burden for applications that
do not require confidentiality.
Variants of Hash :Encrypt Hash Code
Sender’s private key
• Only hash code is encrypted using the senders
private key with public-key encryption.
• Authentication is provided but not confidentiality.
• Provides a digital signature.
Variants of Hash Functions:
Encrypt Results of (c) – Shared secret key
• Message and the public-key encrypted hash
code is encrypted using symmetric key.
• Confidentiality and digital signature is provided.
Variants of Hash Functions:
Compute Hash Code of Message Plus
Secret Value
• Assumes parties communicating have the secret value.
• No encryption.
• Source A computes the hash code over the concatenation of M
and S and appends the result to M.
• Authentication is provided.
Variants of Hash Functions:
Encrypt Result of (e)
• Confidentiality is added to the approach in (e)
using symmetric key encryption.
Summary