MESSAGE AUTHENTICATION and HASH FUNCTIONS - Chapter 11

1
MESSAGE AUTHENTICATION and HASH
FUNCTIONS - Chapter 11
Masquerade message insertion,
fraud, ACK Content Modification Sequence
Modification insertion, deletion,
re-ordering Timing Modification
delay, replay
2
AUTHENTICATION
Message Encryption
EK (M) Message Authentication Code (MAC)
CK(M) Hash Function
H(M)
3
BASIC USES OF MESSAGE ENCRYPTION
4
INTERNAL AND EXTERNAL ERROR CONTROL
5
STRUCTURE
Fig 11.1a Legitimacy test at B
(intelligible) - small subset of plaintext
legitimate - structured Fig 11.2a Structured
redundancy via FCS - internal ECC -
authentication Fig 11.2b External ECC
opponent can construct code words -
authentication Any structure will do e.g.
Fig 11.3
6
BASIC USES OF MESSAGE ENCRYPTION
7
PUBLIC-KEY
Fig 11.1b Confidentiality Fig 11.1c
Authentication -
plaintext needs structure Signature
- only A could have sent,
not even B Fig 11.1
Confidentality / Authentication Table 11.1
8
TCP SEGMENT
9
BASIC USES of MESSAGE AUTHENTICATION
CODE (MAC)
10
MAC
A, B share key, K MAC CK(M) Transmit
message MAC
(Fig 11.4a) MAC not necessarily
reversible - less vulnerable than encryption
11
BASIC USES of MESSAGE AUTHENTICATION
CODE (MAC)
12
Authentication Confidentiality
Figs 11.4b and 11.4c - Two separate keys
(Table 11.2) - Fig 11.4b preferred Use
MAC, not conventional Encryption - MAC gives
no signature - sender/receiver share key
13
Authentication Confidentiality
SCENARIOS

• Broadcast message one destination monitors
  authenticity
• 2. Heavy load selective authentication
• 3. SporadicAuthentication of computer program
• 4. Secrecy Unimportant
• 5. Separation of authentication and
  confidentiality
• - flexible
• 6. Prolong protection against modification

14
BASIC USES OF HASH FUNCTION
15
BASIC USES OF HASH FUNCTION
16
HASH FUNCTIONS

• variable size ? fixed size
• M ?
  H(M)
• ? MH(M) (error detection)
• Fig 11.5 Table 11-3
• (b) and (c) require less computation
• (e) - no encryption

17
FOR AUTHENTICATION COMPARE HASH WITH
ENCRYPTION

• Encryption is
• Slow
• Costly in hardware
• Optimised for large data blocks
• Patented
• Export control

18
MAC

• MAC CK(M)
• many-to-one, domain is arbitrary length
• Attack
• MAC collisions 2k keys, 2n MACs, 2n lt 2k
• Many keys for one MAC opponent cannot
  choose
• Opponent must iterate attack for many MACs
• Round 1 2k-n keys
• Round 2 2k-2n keys
• .. .. ..
• Round r 1 key

19
MAC PROPERTIES

• Given M and CK(M),
• too much work to construct M such that,
  
• CK(M) CK(M)
• 2. CK(M) uniformly distributed
• pr(CK(M) CK(M)) 2-n

20
DATA AUTHENTICATION ALGORITHM (CBC Mode)
21
HASH FUNCTIONS

• h H(x) - file fingerprint
• Properties
• 1. Any size input
• 2. Fixed-size output
• 3. H(x) easy to compute
• 4. Infeasible to compute x given h (one-way)
  2n
• 5. (Weak Collision Resistance) 2n
• Given x, infeasible to compute y not equal
  to x such that, H(y) H(x) -
  prevents forgery
• 6. (Strong Collision Resistance) 2n/2
• Infeasible to find (x,y) such that H(x)
  H(y)
• -
  Birthday Attack

22
BIRTHDAY ATTACK

• Given M , find M such that H(M) H(M)
• 
  2n-1 hashes
• But (Fig 11.5c),
• Prepare 2n/2 variations of M
• Prepare 2n/2 variations of M
• Search for H(M) H(M)
• Pr(success) gt 0.5 using 2n/2
  hashes
• A signs M ? H(M)
• Opponent substitutes M for M
• A encrypts MH(M)

23
MEET-IN-THE-MIDDLE
ATTACK

• Block Chaining
• Given M M1 M2 MN
• H0 init
• Hi EMiHi-1
• G HN
• Opponent has M and encrypted signature, G
• Construct arbitrary message
• Q1 Q2 . QN-2
• Compute Hi EQiHi-1 up to HN-2
• Find X,Y such that EXHN-2 DYG (prob 2n/2)
• Construct Q1 Q2 . QN-2 X Y M
• Substitute M for M

24
BRUTE-FORCE ATTACKS

• Hash 2n/2
• MAC min(2k,2n)
• - like symmetric encryp.

25
SECURE HASH CODE
If compression function collision-resistant then
so is iterated hash function
26
THE BIRTHDAY PARADOX