Transcript Masquerade Content Modification Sequence Modification Timing Modification

MESSAGE AUTHENTICATION and
HASH FUNCTIONS - Chapter 11
• Masquerade
– message insertion, fraud, ACK
• Content Modification
• Sequence Modification
– insertion, deletion, re-ordering
• Timing Modification
– delay, replay
AUTHENTICATION
• Message Encryption
– EK (M)
• Message Authentication Code (MAC)
– CK(M)
• Hash Function
– H(M)
BASIC USES OF MESSAGE
ENCRYPTION
Sour ce A
M
Destination B
M
D
E
EK(M)
K
K
(a) Symmetric encryption: confidentiality and authentication
M
M
D
E
EKU b(M)
KU b
KRb
(b) Public-key encryption: confidentiality
M
M
D
E
EKRa(M)
KRa
KU a
(c) Public-key encryption: authentication and signature
EKU b[EKRa(M)]
M
E
D
E
KRa
EKRa(M)
KU b
EKUb[EKRa(M)]
KRb
D
EKRa(M)
KUa
(d) Public-key encryption: confidentiality, authentication, and signature
Fi gur e 11.1 Basic Uses of M essage Encr yption
M
INTERNAL AND EXTERNAL ERROR
CONTROL
Sour ce A
M
||
Destination B
M
D
E
F
M
F(M)
F(M)
K
EK[M || F(M)]
Compare
K
F
(a) Internal error control
M
K
EK[M]
K
D
||
E
F
EK[M]
Compare
F
F(EK[M])
(b) External error control
Figur e 11.2 Inter nal and Exter nal Er ror Control
M
STRUCTURE
Fig 11.1a : Legitimacy test at B (intelligible)
- small subset of plaintext legitimate
- structured
Fig 11.2a : Structured redundancy via FCS
- internal ECC
- authentication
Fig 11.2b : External ECC
– opponent can construct code words
- authentication
Any ’structure’ will do
e.g. Fig 11.3
BASIC USES OF MESSAGE
ENCRYPTION
Sour ce A
M
Destination B
M
D
E
EK(M)
K
K
(a) Symmetric encryption: confidentiality and authentication
M
M
D
E
EKU b(M)
KU b
KRb
(b) Public-key encryption: confidentiality
M
M
D
E
EKRa(M)
KRa
KU a
(c) Public-key encryption: authentication and signature
EKU b[EKRa(M)]
M
E
D
E
KRa
EKRa(M)
KU b
EKUb[EKRa(M)]
KRb
D
EKRa(M)
KUa
(d) Public-key encryption: confidentiality, authentication, and signature
Fi gur e 11.1 Basic Uses of M essage Encr yption
M
PUBLIC-KEY
Fig 11.1b : Confidentiality
Fig 11.1c : Authentication
- plaintext needs structure
Signature
- only A could have sent,
not even B
Fig 11.1 : Confidentality / Authentication
Table 11.1
TCP SEGMENT
0
o c te ts
Bit:
10
4
16
Source Port
31
Destination Port
Sequence Number
2 0
Acknowledgement Number
Data
offset
Reserved
Flags
Checksum
Window
Urgent Pointer
Options + Padding
Application Data
Figure 11.3 TCP Segment
BASIC USES of MESSAGE
AUTHENTICATION CODE (MAC)
MAC
A, B share key, K
MAC =CK(M)
Transmit message + MAC
(Fig 11.4a)
MAC not necessarily reversible
- less vulnerable than encryption
BASIC USES of MESSAGE
AUTHENTICATION CODE (MAC)
Authentication
+ Confidentiality
Figs 11.4b and 11.4c
- Two separate keys
- Fig 11.4b preferred
(Table 11.2)
Use MAC, not conventional Encryption
- MAC gives no signature
- sender/receiver share key
Authentication + Confidentiality
SCENARIOS
1. Broadcast message – one destination monitors
authenticity
2. Heavy load – selective authentication
3. SporadicAuthentication of computer program
4. Secrecy Unimportant
5. Separation of authentication and confidentiality
- flexible
6. Prolong protection against modification
BASIC USES OF HASH FUNCTION
Sour ce A
M
Destination B
||
E
D
K
K
H
M
Compare
EK[M || H(M)]
H
H(M)
(a)
M
||
M
K
H
K
E
EK[H(M)]
(b)
M
||
M
KRa
H
(c)
E
H
D
H
KU a
EKRa[H(M)]
Compare
Compare
D
Figur e 11.5 Basic Uses of Hash Function (page 1 of 2)
14
BASIC USES OF HASH FUNCTION
Sour ce A
M
Destination B
||
E
D
K
K
KRa
H
EK[ M || EKRa[H(M)] ]
E
KU a
||
M
||
S
Compare
D
EKRa[ H(M)]
(d)
M
H
M
H
Compare
(e)
S
||
H
M
H(M || S)
||
E
D
K
K
M
S
||
H
Compare
(f)
S
||
H
EK[ M || H(M || S) ]
H(M || S)
Figur e 11.5 Basic Uses of Hash Function (page 2 of 2)
15
HASH FUNCTIONS
variable size
M


fixed size
H(M)
 M|H(M)
(error detection)
Fig 11.5 – Table 11-3
(b) and (c) require less computation
(e) - no encryption
16
FOR AUTHENTICATION:
COMPARE HASH WITH
ENCRYPTION
Encryption is:
• Slow
• Costly in hardware
• Optimised for large data blocks
• Patented
• Export control
17
MAC
MAC = CK(M)
many-to-one, domain is arbitrary length
Attack:
MAC collisions : 2k keys, 2n MACs, 2n < 2k
Many keys for one MAC : opponent cannot
choose
Opponent must iterate attack for many MACs:
Round 1 : 2k-n keys
Round 2 : 2k-2n keys
..
..
..
Round r : 1 key
18
MAC PROPERTIES
1. Given M and CK(M),
too much work to construct M’ such that,
CK(M’) = CK(M)
2. CK(M) uniformly distributed:
pr(CK(M) = CK(M’)) = 2-n
19
DATA AUTHENTICATION
ALGORITHM (CBC Mode)
Time = 1
Time = 2
Time = N Ð1
Time = N
D1
(64 bits)
D2
DNÐ1
DN
+
K
(56 bits)
DES
ncrypt
E
O1
64
( bits)
K
DES
Encrypt
O2
+
¥ ¥ ¥
K
DES
Encrypt
ONÐ1
+
K
DES
ncrypt
E
ON
DAC
(16 to 64 bits)
Figur e 11.6 Data Authentication Algor ithm (FI PS PUB 113)
20
HASH FUNCTIONS
h = H(x)
- file fingerprint
Properties:
1. Any size input
2. Fixed-size output
3. H(x) easy to compute
4. Infeasible to compute x given h – (one-way) – 2n
5. (Weak Collision Resistance) – 2n
Given x, infeasible to compute y not equal to x
such that, H(y) = H(x)
prevents forgery
6. (Strong Collision Resistance) – 2n/2
Infeasible to find (x,y) such that H(x) = H(y)
- Birthday Attack
21
BIRTHDAY ATTACK
Given M , find M’ such that H(M’) = H(M)
~ 2n-1 hashes
But (Fig 11.5c),
• Prepare 2n/2 variations of M
• Prepare 2n/2 variations of M’
• Search for H(M) = H(M’)
•
Pr(success) > 0.5 using 2n/2 hashes
• A signs M  H(M)
• Opponent substitutes M’ for M
• A encrypts M’|H(M)
22
MEET-IN-THE-MIDDLE
ATTACK
• Block Chaining
Given M = M1 | M2 | ………| MN
H0 = init
Hi = EMi[Hi-1]
G = HN
Opponent has M and encrypted signature, G
• Construct arbitrary message
Q1 | Q2 | …….| QN-2
• Compute Hi = EQi[Hi-1] up to HN-2
• Find X,Y such that EX[HN-2] = DY[G] (prob 2n/2)
• Construct Q1 | Q2 | ….| QN-2 | X | Y = M’
• Substitute M’ for M
23
BRUTE-FORCE
ATTACKS
Hash : 2n/2
MAC : min(2k,2n)
- like symmetric encryp.
24
SECURE HASH CODE
b
b
b
IV =
CV0
YLÐ1
Y1
Y0
f
n
n
f
CV 1
IV
CV
Yi
f
L
n
b
=
=
=
=
=
=
=
n
n
f
n
CVL
CVLÐ1
Initial value
chaining variable
ith input block
compression algorithm
number of input blocks
length of hash code
length of input block
Figur e 11.10 Gener al Structur e of Secur e Hash Code
If compression function collision-resistant then
so is iterated hash function
25
THE BIRTHDAY PARADOX
1.0
0.9
P (3 6 5 , k )
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0.0
0
10
20
30
40
50
60
70
k
Figur e 11.11 The Birthday Par adox
26