Authentication

1
Authentication
2
Authentication

• Message authentication
• Digital signatures or MACs
• No timeliness guarantees w.r.t when a message was
  created
• Entity authentication
• Involves corroboration of a claimants identity
  through actual communications
• Provide assurances only at the instant in time of
  successful protocol completion
• No ongoing assurances provided
• Typically involves no meaningful message other
  than the claim

3
Hash Functions

• Hash function
• Compression condenses arbitrary message to fixed
  size
• Larger domains mapped to smaller ranges
• So a many-to-one function
• Existence of collisions is unavoidable
• Ease of computation the hash value is easy to
  compute
• Hash value serves as a compact representative
  image of an input string
• can use in various ways with message
• most often to create a digital signature
• hash used to detect changes to message
• Requires that collisions be computationally
  difficult to find
• Message authentication codes (keyed hash
  functions)
• Class of hash functions that allow message
  authentication by symmetric techniques
• take a message and a secret key and produce a
  fixed-size output
• Infeasible to produce the same output without
  knowledge of key

4
Types of hash functions
5
Types of hash functions

• Modification detection codes
• Provides a representative image of a message
• Facilitates data integrity assurances
• Unkeyed hash functions
• Types
• One-way hash functions
• Finding an input which hashes to pre-specified
  hash value is difficult
• Collision resistant hash functions
• Finding any two inputs having the same hash-value
  is difficult
• Message authentication codes (MACs)
• Facilitates data integrity assurances as well as
  data source
• Keyed hash functions

6
Properties of hash functions

• Unkeyed hash functions
• Preimage resistance (one way)
• Computationally infeasible to find any input
  which hashes to that output
• given h is infeasible to find x s.t. H(x)h
• E.g. x2 mod n has preimage resistance
• 2nd preimage resistance (weak collision
  resistance)
• Computationally infeasible to find any second
  input which has the same output as any specified
  input
• given x is infeasible to find y s.t. H(y)H(x)
• The previous example does not have this x and x
  have same hash value
• Collision resistance (strong collision
  resistance)
• Computationally infeasible to find any two
  distinct inputs which hash to the same output
• is infeasible to find any x,y s.t. H(y)H(x)
• Free choice of both inputs
• Implies 2nd preimage resistance

7
Properties of hash functions

• Keyed hash functions
• Computation resistance
• Given zero or more text-MAC pairs,
  computationally infeasible to compute any
  text-MAC pair for any new input (implies key
  non-recovery)

8
Additional properties of hash functions

• Non-correlation
• Input and output bits should not be correlated
• Avalanche property desirable
• Near-collision resistance
• Hard to find any two inputs whose hash values
  differ in only a small number of bits
• Partial-preimage resistance
• Should be as difficult to recover any substring
  as to recover the entire input

9
Basic uses of hash function
10
Basic uses of hash function
11
General structure of secure hash code
12
Iterated hash function

• Can create a unkeyed hash function from a
  collision resistant compression function f
• Merkles meta-method for hashing

13
Security objectives for hash functions

• Ideal strength for CRHF follows due to birthday
  attack
• t is the keysize

14
Unkeyed hash functions

• Categories
• Based on block ciphers
• Customized hash functions
• Based on modular arithmetic

15
Hash functions based on block ciphers

• Allows reuse of an existing block cipher
• Single length MDCs
• Matyas-Meyer-Oseas
• Davies-Meyer
• Miyaguchi-Prencel
• Double length MDCs
• MDC-2
• MDC-4

16
Single-length MDCs

• Components
• Generic n-bit block cipher E
• Function g which maps n-bit inputs to key K for E
• Initial value IV, for use with E

17
MDC-2
18
MDC-4
19
Customized hash functions

• Designed from scratch explicitly for hashing
• Not constrained to reuse existing systems
• Most frequently used based on MD4 hash function

20
MD5

• latest in a series of MD2, MD4
• produces a 128-bit hash value
• until recently was the most widely used hash
  algorithm
• in recent times have both brute-force
  cryptanalytic concerns
• specified as Internet standard RFC1321

21
MD5 Overview

• pad message so its length is 448 mod 512
• append a 64-bit length value to message
• initialise 4-word (128-bit) MD buffer (A,B,C,D)
• process message in 16-word (512-bit) blocks
• using 4 rounds of 16 bit operations on message
  block buffer
• add output to buffer input to form new buffer
  value
• output hash value is the final buffer value

22
MD5 Overview
23
MD5--Single block processing
24
MD5 Compression Function

• each round has 16 steps of the form
• a b((ag(b,c,d)XkTi)
• a,b,c,d refer to the 4 words of the buffer, but
  used in varying permutations
• note this updates 1 word only of the buffer
• after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function
  in each round (F,G,H,I)
• Ti is a constant value derived from sin
• Xk is derived from the message block
• i,k depend on the round and step

25
MD5 Compression Function
26
MD4

• precursor to MD5
• also produces a 128-bit hash of message
• has 3 rounds of 16 steps vs 4 in MD5
• design goals
• collision resistant (hard to find collisions)
• direct security (no dependence on "hard"
  problems)
• fast, simple, compact
• favours little-endian systems (eg PCs)

27
Secure Hash Algorithm (SHA-1)

• SHA was designed by NIST NSA in 1993, revised
  1995 as SHA-1
• US standard for use with DSA signature scheme
• standard is FIPS 180-1 1995, also Internet
  RFC3174
• nb. the algorithm is SHA, the standard is SHS
• produces 160-bit hash values
• now the generally preferred hash algorithm
• based on design of MD4 with key differences

28
SHA Overview

• pad message so its length is 448 mod 512
• append a 64-bit length value to message
• initialise 5-word (160-bit) buffer (A,B,C,D,E) to
  
• (67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
• process message in 16-word (512-bit) chunks
• expand 16 words into 80 words by mixing
  shifting
• use 4 rounds of 20 steps each on message block
  buffer
• add output to input to form new buffer value
• output hash value is the final buffer value

29
SHA-1 Compression Function

• each round has 20 steps which replaces the 5
  buffer words thus
• (A,B,C,D,E) ),C,D)
• a,b,c,d refer to the 4 words of the buffer
• t is the step number
• f(t,B,C,D) is nonlinear function for round
• Wt is derived from the message block
• Kt is a constant value derived from sin

30
SHA-1 Compression Function
31
SHA-1 verses MD5

• brute force attack is harder (160 vs 128 bits for
  MD5)
• not vulnerable to any known attacks (compared to
  MD4/5)
• a little slower than MD5 (80 vs 64 steps)
• both designed as simple and compact
• optimised for big endian CPU's (vs MD5 which is
  optimised for little endian CPUs)

32
Revised Secure Hash Standard

• NIST have issued a revision FIPS 180-2
• adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
  security provided by the AES cipher
• structure detail is similar to SHA-1
• hence analysis should be similar

33
Basic uses of MAC
34
Why MAC

• Over symmetric encryption
• To ensure faster processing
• Separation of authentication and confidentiality
  affords architectural flexibility
• sometimes only authentication is needed and not
  secrecy e.g. SNMP messages
• sometimes need authentication to persist longer
  than the encryption (eg. archival use)

35
Keyed Hash Functions (MACs)

• MACs based on block ciphers
• MACs based on MDCs
• Customized MACs

36
MACs based on block cipher
37
Using Symmetric Ciphers for MACs

• can use any block cipher chaining mode and use
  final block as a MAC
• Data Authentication Algorithm (DAA) is a widely
  used MAC based on DES-CBC
• using IV0 and zero-pad of final block
• encrypt message using DES in CBC mode
• and send just the final block as the MAC
• or the leftmost M bits (16M64) of final block
• but final MAC is now too small for security

38
DAA
39
Keyed Hash Functions as MACs

• MAC using a hash function rather than a block
  cipher
• because hash functions are generally faster
• Code for cryptographic hash functions widely
  available
• not limited by export controls unlike block
  ciphers
• hash includes a key along with the message
• original proposal
• KeyedHash Hash(KeyMessage)
• some weaknesses were found with this
• eventually led to development of HMAC

40
HMAC

• specified as Internet standard RFC2104
• uses hash function on the message
• HMACK Hash(K XOR opad)
• Hash(K XOR ipad)M)
• where K is the key padded out to size
• and opad, ipad are specified padding constants
• overhead is just 3 more hash calculations than
  the message needs alone
• any of MD5, SHA-1, RIPEMD-160 can be used
• Used in IP-Sec, SSL etc.

41
HMAC Overview
42
HMAC Security

• know that the security of HMAC relates to that of
  the underlying hash algorithm
• attacking HMAC requires either
• brute force attack on key used
• birthday attack (but since keyed would need to
  observe a very large number of messages)
• choose hash function used based on speed verses
  security constraints

43
Data integrity and message authentication

• Data integrity
• Data state is unaltered from the time it left its
  reputed source
• Invalid operations
• Insertion, deletion, re-ordering, inversion,
  substitution of bits or groups of bits
• Data origin authentication
• Data actually came from its reputed source
• No uniqueness or timeliness guarantees
• Includes data integrity
• Can be achieved using encryption or MAC or hash
  functions
• Transaction authentication
• Message authentication augmented to provide
  uniqueness and timeliness guarantees
• Typically provided by use of time variant
  parameters (TVPs)

44
Data integrity using hash functions
45
Message Encryption

• message encryption by itself also provides a
  measure of authentication
• if symmetric encryption is used then
• receiver know sender must have created it
• since only sender and receiver now key used
• know content cannot of been altered
• if message has suitable structure, redundancy or
  a checksum to detect any changes

46
Message Encryption

• if public-key encryption is used
• encryption provides no confidence of sender
• since anyone potentially knows public-key
• however if
• sender signs message using their private-key
• then encrypts with recipients public key
• have both secrecy and authentication
• again need to recognize corrupted messages
• but at cost of two public-key uses on message

47
Basic uses of Message Encryption