csce 815 network security lecture 7 message authentication codes and hash functions

44
CSCE 815 Network Security CSCE 815 Network Security Lecture Lecture 7 7 Message Authentication Codes Message Authentication Codes And Hash Functions And Hash Functions

Upload: berenice-hart

Post on 02-Jan-2016

223 views

Category:

Documents


3 download

TRANSCRIPT

CSCE 815 Network Security CSCE 815 Network Security Lecture 7 Lecture 7CSCE 815 Network Security CSCE 815 Network Security Lecture 7 Lecture 7

Message Authentication CodesMessage Authentication Codes

And Hash FunctionsAnd Hash Functions

– 2 – CSCE 815 Sp 03

ResourcesResources

Brown and Johnson SlidesBrown and Johnson Slides

Big IntegersBig Integers C++ http://www.math.utah.edu/docs/info/libg++_20.html Java

http://www.gnu.org/software/classpath/docs/api/java.math.BigInteger.html

http://www.gnu.org/software/classpath/docs/api/java.security.spec.RSAPrivateCrtKeySpec.html

Benton’s RSA spreadsheet Benton’s RSA spreadsheet Class/csce815-001/Handouts/rsa.xls

– 3 – CSCE 815 Sp 03

ReviewReview

Lecture 1 – OverviewLecture 1 – Overview

Lecture 2 – Classical CryptographyLecture 2 – Classical Cryptography

Lecture 3 – DES OverviewLecture 3 – DES Overview

Lecture 4 – DES details (ref Brown)Lecture 4 – DES details (ref Brown)

Lecture 5 – Lecture 5 – (AES) Rijndael overview, (AES) Rijndael overview, Message Authentication, MAC

Lecture 6 –Lecture 6 – Public Key Encryption, RSA Public Key Encryption, RSA

– 4 – CSCE 815 Sp 03

Assignment 1 Due Feb 12Assignment 1 Due Feb 12

Decipher – Decipher – Ciphertext1 (produced with MonoAlph) Ciphertext2 (produced with Perm; n < 10) Ciphertext3 (produced Perm(MonoAlph(P)))

In doing this you should write a program that will In doing this you should write a program that will enable you to do statistical analysis of the enable you to do statistical analysis of the ciphertextsciphertexts

Then you may modify or use MonoAlph.c and perm.c to Then you may modify or use MonoAlph.c and perm.c to aid in decodingaid in decoding

– 5 – CSCE 815 Sp 03

Assignment 2 Due Feb 17Assignment 2 Due Feb 17

Page 83 problem 3.2Page 83 problem 3.2

Page 83 problem 3.5Page 83 problem 3.5

Page 84 problem 3.7Page 84 problem 3.7

– 6 – CSCE 815 Sp 03

Number Theory ReviewNumber Theory Review

Lawrie Brown slides – Chapter 8Lawrie Brown slides – Chapter 8

Primes – prime factorizationPrimes – prime factorization

Relatively Prime Numbers & GCDRelatively Prime Numbers & GCD

Fermat's Theorem: Fermat's Theorem: aap-1p-1 mod p = 1 mod p = 1

Euler Totient Function Euler Totient Function ø(n)ø(n)

Euler's Theorem: Euler's Theorem: aaø(n)ø(n)mod N = 1mod N = 1

Miller Rabin Algorithm: Primality TestingMiller Rabin Algorithm: Primality Testing

– 7 – CSCE 815 Sp 03

Prime NumbersPrime Numbers

prime numbers only have divisors of 1 and self prime numbers only have divisors of 1 and self they cannot be written as a product of other numbers note: 1 is prime, but is generally not of interest

eg. 2,3,5,7 are prime, 4,6,8,9,10 are noteg. 2,3,5,7 are prime, 4,6,8,9,10 are not

prime numbers are central to number theoryprime numbers are central to number theory

list of prime number less than 200 is: list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199

– 8 – CSCE 815 Sp 03

Prime FactorisationPrime Factorisation

to to factorfactor a number a number nn is to write it as a product of other is to write it as a product of other numbers: numbers: n = a × b × cn = a × b × c

note that factoring a number is relatively hard note that factoring a number is relatively hard compared to multiplying the factors together to compared to multiplying the factors together to generate the number generate the number

thethe prime factorisation prime factorisation of a number of a number nn is when its written is when its written as a product of primes as a product of primes eg. 91=7×13 ; 3600=24×32×52

– 9 – CSCE 815 Sp 03

Relatively Prime Numbers & GCDRelatively Prime Numbers & GCD

two numbers two numbers a, ba, b are are relatively primerelatively prime if have if have no common no common divisorsdivisors apart from 1 apart from 1 eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8

and of 15 are 1,3,5,15 and 1 is the only common factor

conversely can determine the greatest common divisor conversely can determine the greatest common divisor by comparing their prime factorizations and using by comparing their prime factorizations and using least powersleast powers eg. 300=21×31×52 18=21×32 hence GCD(18,300)=21×31×50=6

– 10 – CSCE 815 Sp 03

Fermat's TheoremFermat's Theorem

aap-1p-1 mod p = 1 mod p = 1 where p is prime and gcd(a,p)=1

also known as Fermat’s Little Theoremalso known as Fermat’s Little Theorem

useful in public key and primality testinguseful in public key and primality testing

– 11 – CSCE 815 Sp 03

Euler Totient Function ø(n)Euler Totient Function ø(n)

when doing arithmetic modulo n when doing arithmetic modulo n

complete set of residuescomplete set of residues is: is: 0..n-10..n-1

reduced set of residuesreduced set of residues is those numbers is those numbers (residues) which are relatively prime to n (residues) which are relatively prime to n eg for n=10, complete set of residues is {0,1,2,3,4,5,6,7,8,9} reduced set of residues is {1,3,7,9}

number of elements in reduced set of residues number of elements in reduced set of residues is called the is called the Euler Totient Function ø(n)Euler Totient Function ø(n)

– 12 – CSCE 815 Sp 03

Euler Totient Function ø(n)Euler Totient Function ø(n)

to compute ø(n) need to count number of to compute ø(n) need to count number of elements to be excludedelements to be excluded

in general need prime factorization, butin general need prime factorization, but for p (p prime) ø(p) = p-1 for p.q (p,q prime) ø(p.q) = (p-1)(q-1)

eg.eg. ø(37) = 36 ø(21) = (3–1)×(7–1) = 2×6 = 12

– 13 – CSCE 815 Sp 03

Euler's TheoremEuler's Theorem

a generalisation of Fermat's Theorem a generalisation of Fermat's Theorem

aaø(n)ø(n)mod N = 1 mod N = 1 where gcd(a,N)=1

eg.eg.a=3;n=10; ø(10)=4; hence 34 = 81 = 1 mod 10a=2;n=11; ø(11)=10;hence 210 = 1024 = 1 mod 11

– 14 – CSCE 815 Sp 03

Primality TestingPrimality Testing

often need to find large prime numbers often need to find large prime numbers

traditionally traditionally sievesieve using using trial divisiontrial division ie. divide by all numbers (primes) in turn less than

the square root of the number only works for small numbers

alternatively can use statistical primality tests alternatively can use statistical primality tests based on properties of primes based on properties of primes for which all primes numbers satisfy property but some composite numbers, called pseudo-

primes, also satisfy the property

– 15 – CSCE 815 Sp 03

Miller Rabin AlgorithmMiller Rabin Algorithm

a test based on Fermat’s Theorema test based on Fermat’s Theorem

algorithm is:algorithm is:TEST (n) is:1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq2. Select a random integer a, 1<a<n–13. if aq mod n = 1 then return (“maybe prime");4. for j = 0 to k – 1 do

5. if (a2jq mod n = n-1)

then return(" maybe prime ")6. return ("composite")

– 16 – CSCE 815 Sp 03

Probabilistic ConsiderationsProbabilistic Considerations

if Miller-Rabin returns “composite” the if Miller-Rabin returns “composite” the number is definitely not primenumber is definitely not prime

otherwise is a prime or a pseudo-primeotherwise is a prime or a pseudo-prime

chance it detects a pseudo-prime is < ¼chance it detects a pseudo-prime is < ¼

hence if repeat test with different random hence if repeat test with different random a then chance n is prime after t tests is:a then chance n is prime after t tests is:Pr(n prime after t tests) = 1-4-t

eg. for t=10 this probability is > 0.99999

– 17 – CSCE 815 Sp 03

Message AuthenticationMessage Authentication

message authentication is concerned with: message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution)

will consider the security requirementswill consider the security requirements

then three alternative functions used:then three alternative functions used: message encryption message authentication code (MAC) hash function

– 18 – CSCE 815 Sp 03

Approaches to Message AuthenticationApproaches to Message Authentication

Authentication Using Conventional EncryptionAuthentication Using Conventional Encryption Only the sender and receiver should share a key

Message Authentication without Message EncryptionMessage Authentication without Message Encryption An authentication tag is generated and appended to each

message

Message Authentication CodeMessage Authentication Code Calculate the MAC as a function of the message and the key.

MAC = F(K, M)

– 19 – CSCE 815 Sp 03

Message Authentication Code (MAC)Message Authentication Code (MAC)

generated by an algorithm that creates a small fixed-generated by an algorithm that creates a small fixed-sized blocksized block depending on both message and some key like encryption though need not be reversible

appended to message as a appended to message as a signaturesignature

receiver performs same computation on message and receiver performs same computation on message and checks it matches the MACchecks it matches the MAC

provides assurance that message is unaltered and provides assurance that message is unaltered and comes from sendercomes from sender

– 20 – CSCE 815 Sp 03

– 21 – CSCE 815 Sp 03

Message Authentication CodesMessage Authentication Codes

as shown the MAC provides confidentialityas shown the MAC provides confidentiality

can also use encryption for secrecycan also use encryption for secrecy generally use separate keys for each can compute MAC either before or after encryption is generally regarded as better done before

why use a MAC?why use a MAC? sometimes only authentication is needed sometimes need authentication to persist longer

than the encryption (eg. archival use)

note that a MAC is not a digital signaturenote that a MAC is not a digital signature

– 22 – CSCE 815 Sp 03

MAC PropertiesMAC Properties

a MAC is a cryptographic checksuma MAC is a cryptographic checksumMAC = CK(M)

condenses a variable-length message M using a secret key K to a fixed-sized authenticator

is a many-to-one functionis a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult

– 23 – CSCE 815 Sp 03

Requirements for MACsRequirements for MACs

taking into account the types of attackstaking into account the types of attacks

need the MAC to satisfy the following:need the MAC to satisfy the following:1. knowing a message and MAC, is infeasible to

find another message with same MAC

2. MACs should be uniformly distributed

3. MAC should depend equally on all bits of the message

– 24 – CSCE 815 Sp 03

Using Symmetric Ciphers for MACsUsing Symmetric Ciphers for MACs

can use any block cipher chaining mode and can use any block cipher chaining mode and use final block as a MACuse final block as a MAC

Data Authentication Algorithm (DAA)Data Authentication Algorithm (DAA) is a widely is a widely used MAC based on DES-CBCused MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC

or the leftmost M bits (16≤M≤64) of final block

but final MAC is now too small for securitybut final MAC is now too small for security

– 25 – CSCE 815 Sp 03

One Way Hash FunctionsOne Way Hash Functions

Alternative to MACAlternative to MAC

As with MAC condenses arbitrary message to fixed size As with MAC condenses arbitrary message to fixed size

usually assume that the hash function is public and not usually assume that the hash function is public and not keyedkeyed cf. MAC which is keyed

hash used to detect changes to messagehash used to detect changes to message

can use in various ways with messagecan use in various ways with message

most often to create a digital signaturemost often to create a digital signature

– 26 – CSCE 815 Sp 03

One-way HASH One-way HASH functionfunction

– 27 – CSCE 815 Sp 03

One-way HASH functionOne-way HASH function

Secret value is added before the hash and removed Secret value is added before the hash and removed before transmission.before transmission.

– 28 – CSCE 815 Sp 03

Simple Hash FunctionsSimple Hash Functions

There are several proposals for simple functionsThere are several proposals for simple functions

Based on XOR of message blocks Based on XOR of message blocks

But predictability in data causes problemsBut predictability in data causes problems

e.g., text which is ASCII has leading 0e.g., text which is ASCII has leading 0

not secure since can manipulate any message and not secure since can manipulate any message and either not change hash or change hash alsoeither not change hash or change hash also

need a stronger cryptographic functionneed a stronger cryptographic function

– 29 – CSCE 815 Sp 03

Simple Hash FunctionSimple Hash Function

One-bit circular shift on the hash value after each block is One-bit circular shift on the hash value after each block is processed would improveprocessed would improve

– 30 – CSCE 815 Sp 03

Secure HASH FunctionsSecure HASH Functions

Purpose of the HASH function is to produce a “fingerprint.”Purpose of the HASH function is to produce a “fingerprint.”

Properties of a HASH function H :Properties of a HASH function H :1. H can be applied to a block of data at any size2. H produces a fixed length output3. H(x) is easy to compute for any given x.

4. One way property - For any given block x, it is computationally infeasible to find x such that H(x) = h

5. Weak Collision Resistance Property - For any given block x, it is computationally infeasible to find with H(y) = H(x).

6. Strong Collision Resistance Property - It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) xy

– 31 – CSCE 815 Sp 03

Secure Hash Algorithm (SHA-1)Secure Hash Algorithm (SHA-1)

SHA was designed by NIST & NSA in 1993, revised 1995 SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1as SHA-1

US standard for use with DSA signature scheme US standard for use with DSA signature scheme standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS

produces 160-bit hash values produces 160-bit hash values

now the generally preferred hash algorithm now the generally preferred hash algorithm

based on design of MD4 with key differences based on design of MD4 with key differences

– 32 – CSCE 815 Sp 03

SHA OverviewSHA Overview

pad message so its length is 448 mod 512 pad message so its length is 448 mod 512

append a 64-bit length value to messageappend a 64-bit length value to message

initialize 5-word (160-bit) buffer (A,B,C,D,E) to initialize 5-word (160-bit) buffer (A,B,C,D,E) to

(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)

process message in 16-word (512-bit) chunks:process message in 16-word (512-bit) chunks: expand 16 words into 80 words by mixing & shifting use 4 rounds of 20 bit operations on message block & buffer add output to input to form new buffer value

output hash value is the final buffer value output hash value is the final buffer value

– 33 – CSCE 815 Sp 03

Message Digest Generation Using SHA-1Message Digest Generation Using SHA-1

– 34 – CSCE 815 Sp 03

SHA-1 Processing of single 512-Bit BlockSHA-1 Processing of single 512-Bit Block

– 35 – CSCE 815 Sp 03

Other Secure HASH functions- table 3.1Other Secure HASH functions- table 3.1

SHA-1SHA-1 MD5MD5 RIPEMD-160RIPEMD-160

Digest lengthDigest length 160 bits160 bits 128 bits128 bits 160 bits160 bits

Basic unit of Basic unit of processingprocessing

512 bits512 bits 512 bits512 bits 512 bits512 bits

Number of stepsNumber of steps 80 (4 rounds of 80 (4 rounds of 20)20)

64 (4 rounds 64 (4 rounds of 16)of 16)

160 (5 paired 160 (5 paired rounds of 16)rounds of 16)

Maximum message Maximum message sizesize

226464-1 bits-1 bits

– 36 – CSCE 815 Sp 03

HMACHMAC

Use a MAC derived from a cryptographic hash code, Use a MAC derived from a cryptographic hash code, such as SHA-1such as SHA-1..

Motivations:Motivations:

Cryptographic hash functions executes faster in software than encryption algorithms such as DES

Library code for cryptographic hash functions is widely available

No export restrictions from the US

– 37 – CSCE 815 Sp 03

HMAC Design ObjectivesHMAC Design Objectives

Proposal to include secret key in hash functionProposal to include secret key in hash function

RFC 2104 lists design objectives for HMACRFC 2104 lists design objectives for HMAC

1.1. To use available hash functionsTo use available hash functions

2.2. Allow easy replaceability of hash functionAllow easy replaceability of hash function

3.3. Maintain performance of original hashMaintain performance of original hash

4.4. Use and handle keys simplyUse and handle keys simply

5.5. Have well understood cryptographic analysis of Have well understood cryptographic analysis of strength of the authentication methodstrength of the authentication method

– 38 – CSCE 815 Sp 03

HMAC StructureHMAC Structure

– 39 – CSCE 815 Sp 03

Other Public-Key Cryptographic AlgorithmsOther Public-Key Cryptographic Algorithms

Digital Signature Standard (DSS)Digital Signature Standard (DSS) Makes use of the SHA-1 Not for encryption or key echange

Elliptic-Curve Cryptography (ECC)Elliptic-Curve Cryptography (ECC) Good for smaller bit size Low confidence level, compared with RSA Very complex

– 40 – CSCE 815 Sp 03

Birthday AttacksBirthday Attacks

You might think a 64-bit hash is secureYou might think a 64-bit hash is secure

But by Birthday Paradox is notBut by Birthday Paradox is not

The Birthday attackThe Birthday attack works thus:works thus: opponent generates 2

m/2 variations of a valid message all with essentially the same meaning

opponent also generates 2m/2 variations of a

desired fraudulent message two sets of messages are compared to find pair

with same hash (probability > 0.5 by birthday paradox)

have user sign the valid message, then substitute the forgery which will have a valid signature

Conclusion is that need to use larger MACsConclusion is that need to use larger MACs

– 41 – CSCE 815 Sp 03

Other Secure Hash FunctionsOther Secure Hash Functions

MD5 Message Digest AlgorithmMD5 Message Digest Algorithm

RFC 1321 Ron RivestRFC 1321 Ron Rivest

128 bit message digest128 bit message digest

with faster processors security has become questionablewith faster processors security has become questionable

RIPEMD-160 RoundRIPEMD-160 Round

European groupEuropean group

produces 160 bit digestproduces 160 bit digest

processes text in 512 bit blocksprocesses text in 512 bit blocks

– 42 – CSCE 815 Sp 03

SummarySummary

have considered:have considered: message authentication using message encryption MACs hash functions some current hash algorithms: MD5, SHA-1, RIPEMD-160 HMAC authentication using hash function

– 43 – CSCE 815 Sp 03

SHA-1 Compression FunctionSHA-1 Compression Function

each round has 20 steps which replaces the 5 buffer each round has 20 steps which replaces the 5 buffer words thus:words thus:(A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)

a,b,c,d refer to the 4 words of the buffera,b,c,d refer to the 4 words of the buffer

t is the step numbert is the step number

f(t,B,C,D) f(t,B,C,D) is nonlinear function for roundis nonlinear function for round

WWt t is derived from the message block is derived from the message block

KKtt is a constant value derived from sin is a constant value derived from sin

– 44 – CSCE 815 Sp 03

Keyed Hash Functions as MACsKeyed Hash Functions as MACs

have desire to create a MAC using a hash function rather than a have desire to create a MAC using a hash function rather than a block cipherblock cipher because hash functions are generally faster not limited by export controls unlike block ciphers

hash includes a key along with the messagehash includes a key along with the message

original proposal:original proposal:

KeyedHash = Hash(Key|Message) some weaknesses were found with this

eventually led to development of HMAC eventually led to development of HMAC