Lecture 2: Message Authentication

1
Lecture 2 Message Authentication

• Anish Arora
• CSE5473
• Introduction to Network Security

2
Message authentication

• message authentication is concerned with
• protecting the integrity of a message
• validating identity of originator
• protecting the order or timeliness of a message
• message authentication deals with these attacks
• masquerade
• content modification
• sequence modification
• timing modification
• In this lecture, we consider three alternative
  functions used for msg. auth.
• message encryption
• message authentication code (MAC)
• hash function
• and some requirements for designing MAC codes

3
Message encryption provides some authentication

• if symmetric encryption is used
• receiver knows sender must have created msg,
  since only senderreceiver know key
• know content has not been altered
• if public-key encryption is used
• encryption provides no confidence of sender
  identity, since potentially every one knows
  public-key
• however, if
• sender signs message using their private-key
• then encrypts with recipients public key
• we have both secrecy and authentication
• again need to recognize corrupted messages, but
  at cost of two public-key uses on message

4
Rejecting gibberish when using symmetric
encryption

• If every ciphertext value corresponds to some
  plaintext value, adversary can fool receiver into
  accepting gibberish
• An automatic means to detect whether an incoming
  ciphertext decrypts to some meaningful plaintext
  is desirable, but difficult
• Solution is to give some structure to the
  plaintext
• example
• use checksums to separate meaningful text from
  gibberish
• but checksum must be internal to ciphertext
  (why?)
• particular choice of structure does not matter
• e.g. use with TCP headers

5
Checksums

• Internal versus External
• IP packets encrypt entire TCP packet TCP header
  contains checksum

6
Message authentication code (MAC)
7
MAC

• generated by an algorithm that creates a small
  fixed-sized block
• depending on both the message and the key
• like encryption, but need not be reversible
  though
• appended to message
• receiver performs same computation on message
  checks it matches MAC
• provides assurance that message is unaltered
  comes from sender, per se does not provide
  encryption or signature
• so, why use a MAC?
• sometimes only authentication is needed
• authentication may be needed longer than
  encryption (e.g. archival use)
• broadcast only one needs to check, or optional
  check now or later

8
MAC properties

• a MAC is a cryptographic checksum
• MAC CK(M)
• condenses a variable-length message M
• using a secret key K
• to a fixed-sized authenticator
• is a many-to-one function
• potentially many messages have same MAC
• but finding these needs to be very difficult

9
A brute force attack on MAC

• On average, brute-force attack on k-bit key is
  O(2k-1 )
• With m-bit MAC, say m lt k,
• given plaintext P and ciphertext C brute-force
  search of all 2k keys, will still yield 2k / 2m
  plausible keys
• this can be iterated with more plaintexts until
  the key if found, but remains an expensive
  process

10
Requirements for MACs

• taking into account other types of attacks, we
  need the MAC to satisfy the following
• knowing a message and MAC, is infeasible to find
  another message with same MAC
• MACs should be uniformly distributed
• MAC should depend equally on all bits/parts of
  the message

11
Using symmetric ciphers for MACs

• can use any block cipher chaining mode and use
  final block as a MAC
• Data Authentication Algorithm (DAA) is a widely
  used MAC based on DES-Cipher Block Chaining
• using IV0 and zero-pad of final block
• encrypt message using DES in CBC mode
• and send just the final block as the MAC
• or the leftmost M bits (16M64) of final block
• but final MAC is now too small for security

12
More recent symmetric cipher options

• Use AES instead of DES
• CBC mode requires final encryption with a second,
  independent key to avoid extension attacks
• Digression NMAC (nested MAC) alternative
• Output in key space, unlike CBC output in message
  space
• Cascade function, but not well suited for AES
• Needs padding with fixed pad, and encryption
  with second, independent key
• How padding works
• CMAC NIST standard, CCM mode, uses two keys wrt
  pad/not

13
Message authentication via hash functions
digital signature also
14
Message authentication via hash functions (contd.)

• Secret value is added before hashing and then
  removed before transmission

15
Message authentication via hash functions

• Note In scheme (c) hashing M S is more secure
  than hashing S M
• given the iterative structure of hash functions,
  adversary could extend M with MX and generate
  new hash
• Diffusing S in the hash of M and S can be
  achieved by using HMAC

16
Keyed hash functions as MACs

• desirable to create a MAC using a hash function
  rather than a block cipher
• because hash functions are generally faster
• not limited by export controls unlike block
  ciphers
• hash includes a key along with the message
• original proposal
• KeyedHash Hash(KeyMessage)
• some weaknesses were found with this
• eventually led to development of HMAC

17
HMAC

• specified as Internet standard RFC2104
• uses hash function on the message
• HMACK Hash(K XOR opad)
• Hash(K XOR ipad)M)
• where K is the key padded out to size
• and opad, ipad are specified padding constants
• overhead is just 3 more hash calculations than
  the message needs alone
• can use MD-5 or SHA-1

18
HMAC overview
19
HMAC security

• security of HMAC relates to that of the
  underlying hash algorithm
• attacking HMAC requires either
• brute force attack on key used
• birthday attack (but since keyed would need to
  observe a very large number of messages)
• choose hash function based on speed vs. security
  constraints