31
Hashing and Message Authentication Codes Andreas Klappenecker Texas A&M University
| Date post: | 08-Apr-2018 |
| Category: |
Documents |
| Upload: | sandeep7632 |
| View: | 215 times |
| Download: | 0 times |
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 1/31
Hashing and Message Authentication Codes
Andreas Klappenecker
Texas A&M University
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 2/31
Encryption is not all!
• Alice can use encryption to protect privacy• Need key. Key distribution and management
• Protect integrity of message
• Authentication
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 3/31
Remember Eve
Alice Bob
Eve
Authentication and integrity needed!
Let’s go to Christopher’stonight! Love, Alice
Let’s order a Fatty
Joe’s cheese pizza!
Love, Alice
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 4/31
Hash Functions A transformation of a message of
arbitrary length into a fixed-lengthnumber is called a hash function
Alternate names are fingerprint or digest
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 5/31
Hash Functions are VersatileHash functions are used for
• message and file integrity
• secure login
• fingerprints of keys
• authentication• digital signatures
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 6/31
Desirable Properties of a Hash Function H1) It should be possible to efficiently compute the
hash value z=H(m) of a message m.
2) Given the hash value z=H(m), it should becomputationally infeasible to find m. A function withthis property is called a one-way function.
3) Given a message m, it should be infeasible to findanother message m’ such that H(m)=H(m’).
4) It should be infeasible to find two messages m andm’ such that H(m)=H(m’).
Property 3) is known as weak collision resistance, and
Property 4) is known as strong collision resistance.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 7/31
Birthday Attacks Any function H: {0,1}* ->{0,1}n must haveinfinitely many collisions.
It requires O(2n/2) evaluations of H to find twomessages m and m’ that have a collision,
H(m)=H(m’).
This means n must be reasonably large,otherwise it cannot be collision resistant.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 8/31
ExampleSuppose a hash function H produces n bit values.
Compose a document nice treaty and about 2n/2+1
semantically equivalent versions.
Similarly, compose an evil treaty and about 2n/2+1
semantically equivalent versions.
With probability ½ or more there will be a version of thenice treaty and a version of the evil treaty that have thesame hash value.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 9/31
Hash Algorithms• The message digest algorithm MD5 by Ron Rivest
with 128 bit hash values.
• The secure hash algorithm SHA-1. It was developedby NSA and standardized by NIST. This algorithmuses 160 bit hash values encoded in 5 x 32 bit words.
• The family SHA-256, SHA-384, SHA-512 of hashfunctions that are supposed to be used with AES.They will be part of the NIST Cryptographic Toolkit.
Why are these bit lengths used?
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 10/31
MD5It compresses messages of 512 bits length into a hashof length 128 bits.
A message of arbitrary length is padded to length
k = 448 mod 512
A 64 bit string describing the length of the message isadded. The message length is now a multiple of 512.
The hashing is done block-by-block.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 11/31
MD5 A buffer containing four words A,B,C,D of 32 bits is usedto compute the hash value. Initializations are
word A: 01 23 45 67 word B: 89 ab cd ef
word C: fe dc ba 98 word D: 76 54 32 10The procedure uses four boolean functions that operatebitwise on 32 bit word by
F(X,Y,Z) = XY v not(X) Z
G(X,Y,Z) = XZ v Y not(Z)
H(X,Y,Z) = X xor Y xor Z
I(X,Y,Z) = Y xor (X v not(Z))
Additionally, it uses the table
T[i] = 4294967296 abs(sin(i))
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 12/31
MD5The algorithm proceeds in four rounds that operate on 16words X[k] of 32 bits, processing 16x32=512bits.
The operation [abcd k s i] is short fora = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s)The first round consists of the 16 operations
[ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4]
[ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8]
[ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12][ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]
The next three rounds are similar…The hash value is A B C D.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 13/31
MD5 At the end of the four rounds, the result is added to theprevious values of ABCD.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 14/31
MD5 Reference A detailed description of MD5 is contained inRFC1321.
Hans Dobbertin has shown that MD5 is notcollision resistant, so it is not advisable to usethis algorithm.
It is used in IPSec and other protocols.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 15/31
Secure Hash AlgorithmThe four secure hash algorithms SHA-1 and SHA-256,SHA-384, SHA-512 are described in the FIPS 180-2document. See the CryptoToolkit page
http://csrc.nist.gov/CryptoToolkit/tkhash.html
You should browse through the standards posted byNIST. The Cryptographic Toolkit contains all primitivesfor authentication, encryption, digital signatures, etc.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 16/31
Block Ciphers from Hash Functions
An interesting result by Luby and Rackhoff shows that aFeistel cipher is strong if three random functions f1, f2, f3are used.
Thus, if we have a cryptographically strong hash function,then we immediately can get a strong cipher
f1
f2
f3
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 17/31
Remark
Some countries deem it necessary to restrictthe export of encryption algorithms.
Hash functions usually do not underlie suchexport restrictions. The previous result showshow absurd such policies are.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 18/31
Message Authentication Codes
A message authentication code is a family of functionshk that are parameterized by a secret key k such that
1) for a given k and an arbitrary input x, it is easy tocompute the MAC-value hk (x).2) the function hk (x) maps a message x of arbitrary
length to a value with a fixed number of bits n.3) if the key k is not known, then it is computationally
infeasible to compute the MAC value hk (m) of somenew message m, even if valid MAC values areknown for other messages m1,…,mg not equal to m.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 19/31
Message Authentication
• Alice encrypts the message m to ensure privacy.The resulting cryptogram is E(K,m).
• She forms the message authentication codeMAC(K,m) and sends both E(K,m) and MAC(K,m)
• Actually, the proper use of the MAC is a more
complicated than that, as you will see shortly...
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 20/31
Message Authentication Codesfrom Block Ciphers
We can use any block cipher to construct a MAC, this isthe so-called CBC-MAC.
For a sequence of plaintext blocks P1,…,Pk do
H0 := IV some initial vector
Hi := E(K ,Pi xor Hi-1) for all i from 1 to k
MAC := Hk
This is simply the CBC mode of the block cipher, but just
the last block is transmitted and all others are deleted.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 21/31
Using CBC-MAC
A number of attacks are known when the CBC-MAC issimply applied to the message itself.
Rather use the following recipe:
1) Form s := m || l where l = length(m)
2) Pad s until it is a multiple of the block size
3) Apply CBC-MAC to the padded string4) Use the last block and delete the others.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 22/31
Message Authentication Codesfrom Hash Functions
A hash function with n bits provides n/2 bits securityagainst certain attacks. A MAC should provide n bits of security. This means we cannot define MAC(K,m) as
H( K || m) or the like
Instead, the idea of HMAC is to use the following simpleconstruction
HMAC(K,m) = H( K xor a || H( K xor b || m) )
where a and b are certain bit strings.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 23/31
The Secure Channel
Alice Bob
Eve
Eve can insert, delete, and manipulate messages.
Alice and Bob want to transmit messages somehow.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 24/31
The Secure Channel
We assume that Alice and Bob share a secret keythat is not known to anybody else.
Every time the channel is initialized, a new key K iscreated. This prevents simple replay attacks.
Alice sends a sequence of messages m1, m2,… that
are processed by the secure channel algorithms, andsends them to Bob.
Bob processes the received messages and ends upwith a sequence m1’,m2’,…
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 25/31
The Secure Channel
For the time being, our goal is that
1) Eve does not learn anything about the messages mi
except for their timing and size, and
2) even when Eve attacks the channel, Bob willreceive a subsequence of the message sequencesent by Alice, and he will know which subsequencehe has received, that is, he knows which packets
are missing
Later we will improve on 1) by introducingmechanisms that make it difficult for Eve to do
traffic analysis.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 26/31
The Secure Channel
Die Gretchenfrage*
1) Should we encrypt first and then authenticate theciphertext, or
2) should we authenticate first and then encrypt bothmessage and MAC value
*For the original question, see Goethe’s Faust.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 27/31
The Secure Channel
One can make a case for either version.
Ferguson and Schneier argue that authenticating first isadvisable if one favors security over computing time.
If you find a compelling argument for either case, then
let me know.
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 28/31
Secure Channel: Authentication
Alice numbers here messages 1,2,3,…
Denote by i the message number, and by xi an additionalportion of data that helps in the authentication. Let L(xi)denote the length of xi in bytes.
Compute ai = MAC( i || L(xi) || xi || mi )
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 29/31
Secure Channel: Encryption
We can use for instance AES in CTR mode. Recall that the countermode is defined by Ki := E(K, Nonce || i ) and Ci := Pi xor Ki
We can use for instance a plaintext consisting of a 32bit block number, a 32 bit message number, and 64 bitzeros. For a message with nonce i, the key stream canbe defined by
k0 k1 k2 … = E(K, 0 || i || 0 ) || E(K, 1 || i || 0 ) || …
E(K, 232-1 || i || 0)
The final message sent is i || mi xor Ki1 || ai xor Ki2
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 30/31
References
Douglas R. Stinson, Cryptography: Theory and Practice,Second Edition, Chapman & Hall/CRC, 2002.
Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition, JohnWiley & Sons, 1996.
William Stallings, Cryptography and Network Security:
Principles and Practice, Third Edition, Prentice Hall,2003.
Ross Anderson: Security Engineering – A Guide toBuilding Dependable Distributed Systems, Wiley, 2001
8/7/2019 And Re as 4
http://slidepdf.com/reader/full/and-re-as-4 31/31
References
Niels Ferguson and Bruce Schneier: PracticalCryptography, Wiley, 2003
Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone: Handbook of Applied Cryptography, 5th
printing, CRC Press, 2001.
Amazingly, this book is completely available online at
http://www.cacr.math.uwaterloo.ca/hac/
