sign in sign up
<<
Home , Leviathan (cipher), RIPEMD

Chapter 12 – Message CryptographyCryptography andand Authentication Codes

NetworkNetwork SecuritySecurity • At cats' green on the Sunday he took the message from the inside of the pillar and added Peter Moran's name to ChapterChapter 1212 the two names already printed there in the "Brontosaur" code. The message now read: “Leviathan to Dragon: Martin Hillman, Trevor Allan, Peter Moran: observe and tail. ” What was the good of it John hardly knew. He felt Fifth Edition better, he felt that at last he had made an attack on Peter Moran instead of waiting passively and effecting no by William Stallings retaliation. Besides, what was the use of being in possession of the to the codes if he never took Lecture slides by Lawrie Brown advantage of it? (with edits by RHB) • —Talking to Strange Men, Ruth Rendell

Outline

• we will consider: • message authentication is concerned with: – message authentication requirements – protecting the integrity of a message – message authentication using – validating identity of originator – non -repudiation of origin (dispute resolution) – MACs • three alternative approaches used: – HMAC authentication using a – hash functions (see Ch 11) – DAA – message encryption – CMAC authentication using a – message authentication codes ( MACs ) and CCM – GCM authentication using a block cipher – PRNG using Hash Functions and MACs Symmetric Message Encryption Message Authentication Code • encryption can also provides authentication (MAC) • if symmetric encryption is used then: • generated by an algorithm that creates a small – receiver knows sender must have created it fixed -sized block – depending on both message and some key – since only sender and receiver know key used – depending on both message and some key – like encryption, but need not be reversible – know content cannot have been altered … • appended to message as a digest / tag – if message has suitable structure , redundancy • receiver performs same computation on or a checksum can detect any changes … message and checks it matches the MAC • provides assurance that message is unaltered and comes from sender • esp. useful if message can be any bitpattern

Message Authentication Codes Message Authentication Codes

• a MAC is a cryptographic checksum • as shown, the MAC provides authentication

MAC = CK(M) • can also use encryption for secrecy – condenses a variable -length message M – generally use separate keys for each – using a secret key K – can compute MAC either before or after encryption – is generally regarded as better done before – to a fixed -sized authenticator • why use a MAC? • is a many -to -one function – sometimes only authentication is needed – many messages will have same MAC – sometimes need authentication to persist longer than – but finding these needs to be very difficult the encryption ( eg . archival use) – protection for arbitrary bitpattern plaintexts • a MAC is not a (repudiation) Uses of MAC • simultaneously protect confidentiality and authenticity of communications – often required but usually separate • approaches – Hash -then -encrypt: E(K, (M || H(M)) – MAC -then -encrypt: E(K2, (M || MAC(K1, M)) – Encrypt -then -MAC: (C=E(K2, M), T=MAC(K1, C)) – Encrypt -and -MAC: (C=E(K2, M), T=MAC(K1, M)) • decryption / verification straightforward • vulnerabilities with all, without good design

Requirements for MACs Security of MACs

• taking into account the types of attacks • like block ciphers we have: • need the MAC to satisfy the following: • brute -force attacks exploiting 1. knowing a message and MAC, is infeasible to find – strong collision resistance — a hash has another message with same MAC m strength 2 /2 2. MACs should be uniformly distributed • 128 -bit hash looks vulnerable, 160 -bits better 3. MAC should depend equally on all bits of the message – MACs with known message -MAC pairs • similar to hash function properties ( preimage • can either attack keyspace (cf key search) or MAC resistance, second preimage resistance, • at least 128 -bit MAC is needed for security collision resistance) Security of MACs Keyed Hash Functions as MACs

• like block ciphers we have: • want a MAC based on a hash function • cryptanalytic attacks exploit structure – because hash functions are generally faster – like block ciphers want brute -force attacks to – crypto hash function code is widely available be the best alternative • hash includes a key along with message • greater variety of MACs so harder to • original proposal: generalize about KeyedHash = Hash(Key|Message ) – some weaknesses were found with this • eventually led to development of HMAC

HMAC Design Objectives HMAC

• use, without modifications, hash functions • specified as Internet standard RFC2104 • uses hash function on the message: • allow for easy replacement of embedded + HMAC K(M) = Hash[(K XOR opad ) || hash function Hash[(K + XOR ipad ) || M)] ] • preserve original performance of hash – where K+ is the key, zero -padded out to size – opad , ipad are specified padding constants (50% function without significant degradation bits in common), repeated to pad out to size • use and handle keys in a simple way. • overhead is just 3 more hash calculations than the message needs alone • have well understood cryptographic analysis the message needs alone • any hash function can be used of authentication mechanism strength – eg. MD5, SHA -1, RIPEMD -160, Whirlpool, etc. ipad = (00110110)*

HMAC HMAC Precom - Overview putation

opad = (01011100)*

HMAC Security Using Symmetric Ciphers for MACs • can use any block cipher chaining mode • proved security of HMAC relates to that of the underlying hash algorithm and use final block as a MAC • attacking HMAC requires either: • Data Authentication Algorithm (DAA) is – brute force attack on key used a widely used MAC based on DES -CBC – (but since keyed, would need – using IV=0 and zero -pad of final block to observe a very large number of messages) – encrypt message using DES in CBC mode • choose hash function used based on – and send just the final block as the MAC speed versus security constraints • or the leftmost M bits (16 0M064) of final block • but final MAC is now too small (64 bits) for security Data Authentication Algorithm CMAC

• previously saw the DAA (CBC -MAC) • widely used in government and industry • but has message size limitation • can overcome using 2 keys and padding • thus forming the Cipher -based Message Authentication Code (CMAC) • adopted by NIST SP800 -38B

N.B. DAA K(X) = DAA K(X || (X XOR DAA K(X)))

CMAC Overview Counter with Cipher Block Chaining -Message K = L•x 1 Authentication Code (CCM) L = E (K,0 n) • NIST standard SP 800 -38C for WiFi • variation of encrypt -and -MAC approach use • variation of encrypt -and -MAC approach GF(2 blocksize ) • algorithmic ingredients – AES encryption algorithm

2 – CTR mode of operation K2 = L•x – CMAC authentication algorithm • single key used for both encryption & MAC Galois/Counter Mode (GCM)

• NIST standard SP 800 -38D, parallelizable • message is encrypted in variant of CTR CCM • multiplied with key H and length Operation over GF(2 128 ) to generate authenticator • have GMAC MAC -only mode also • uses two functions: – GHASH - a keyed hash function – GCTR - CTR mode with incremented counter

GCM Functions — GHASH

GCM Mode Overview GHASH details GCM Functions — GCTR

• GHASH is based entirely on GF(2 128 ) • XOR is addition, • is multiplication, distributive law works

Y1 = X 1•H Y2 = (X 2+Y 1)•H = (X 2+X 1•H)•H 2 = X 2•H+X 1•H …… Ym = (X m+Y m-1 )•H 2 m = X m•H+X m-1 •H + … + X 1•H

Pseudorandom Number Pseudorandom Number PRNG using a Hash Function Generation (PRNG) Using Hash • hash PRNG from Functions and MACs SP800 -90 and • essential elements of PRNG are ISO18031 – seed value – take seed V – deterministic algorithm – repeatedly add 1 • seed must be known only as needed – hash V – use n -bits of hash • can base PRNG on as random value – encryption algorithm ( Chs 7 & 10) • secure if good – hash function (ISO18031 & NIST SP 800 -90) hash used – MAC (NIST SP 800 -90) PRNG using a MAC

• MAC PRNGs in SP800 -90, IEEE 802.11i, TLS – use key – input based on last hash in various ways