Cryptography and Network Security

Spring 2006

http://www.abo.fi/~ipetre/crypto/

Lecture 10: Message authentication: MAC, hashes

Ion Petre Academy of Finland and Department of IT, bo Akademi University

April 18, 2006

Message authentication

Goal here: having received a message one would like to make sure that the message has not been altered on the way
Produce a short sequence of bits that depends on the message and on a secret key To authenticate the message, the partner will compute the same bit pattern, assuming he shares the same secret key

This does not necessarily includes encrypting or signing the message

The message can be sent in plain, with the authenticator appended This is not a digital signature: the receiver can produce the same MAC One may encrypt the authenticator with his private key to produce a digital signature One may encrypt both the message and the authenticator

Possible attacks on message authentication:

Content modification Sequence modification modifications to a sequence of messages, including insertion, deletion, reordering Timing modification delay or replay messages

April 18, 2006

Authentication functions
Three types of authentication exist
Message encryption the ciphertext serves as authenticator Message authentication code (MAC) a public function of the message and a secret key producing a fixed-length value to serve as authenticator
This does not provide a digital signature because A and B share the same key

Hash function a public function mapping an arbitrary length message into a fixed-length hash value to serve as authenticator
This does not provide a digital signature because there is no key

April 18, 2006

I. Message encryption as authentication

Main idea here: the message must have come from A because the ciphertext can be decrypted using his (secret or public) key Also, none of the bits in the message have been altered because an opponent does not know how to manipulate the bits of the ciphertext to induce meaningful changes to the plaintext Conclusion: encryption (either symmetric or public-key) provides authentication as well as confidentiality

April 18, 2006

Encryption as authenticator

From Stallings: Cryptography and Network Security

April 18, 2006

Encryption as authenticator
Some careful considerations are needed here:
How does B recognize a meaningful message from an arbitrary sequence of bits?
He can apply the decryption key to any sequence of bits he receives

This is not necessarily easy task if the message is some sort of binary file Immediate idea of attack: send arbitrary bit sequences to disrupt the receiver he will try to figure out the meaning of that bit sequence

Defense against this type of attack: add to the message a certain structure such as an error-correcting code (e.g., check-sum bits) and then encrypt the whole file
B will detect illegitimate messages because they will not have the required structure

April 18, 2006

More to authentication than simple encryption?

Often one needs alternative authentication schemes than just encrypting the message
Sometimes one needs to avoid encryption of full messages due to legal requirements Encryption and authentication may be separated in the system architecture If a message is broadcast to several destinations in a network (such as a military control center), then it is cheaper and more reliable to have just one node responsible to evaluate the authenticity message will be sent in plain with an attached authenticator If one side has a heavy load, it cannot afford to decrypt all messages it will just check the authenticity of some randomly selected messages If the message is sent encrypted, it is of course protected over the network. However, once the receiver decrypts the message, it is no longer secure. Using a different type of authentication protects the message also on the local computer

April 18, 2006

II. Message authentication code (MAC)

To generate the MAC of a message M, Alice gives M and the secret key K to a MAC function C: MAC=CK(M)
Alice will send M plus the MAC to Bob Bob has the same secret key K and generates the MAC himself to check the match

Typical attacks on MACs

Produce an illegitimate message with the same signature as a given (or chosen) legitimate one Produce a valid MAC for an illegitimate message

Requirements for MACs

The MAC function is in general many-to-one messages are arbitrarily long and the MAC has fixed length, thus there will be more than one message with the same MAC Computationally easy to compute the MAC Knowing M and CK(M) it is computationally infeasible to construct another message M with CK(M)= CK(M) CK(M) is uniformly distributed if the attacker chooses a random bit pattern of length n, the chances of it being the correct signature is 2-n If M is obtained from M by certain transformations (even switching one bit), then the probability that the two have the same MAC is 2-n

April 18, 2006

Basic uses of MAC

April 18, 2006

Basic uses of MAC

April 18, 2006

10

MAC based on DES: Data Authentication Algorithm (DAA)

One of the most widely used MACs ANSI standard X9.17, also FIPS PUB 113 Cipher block chaining mode of DES with an initialization vector of zero
Message to be authenticated is grouped into 64-bit blocks, last block padded with 0: D1,D2, , DN O1=EK(D1), O2=EK(D2O1), O3=EK(D3O2), , ON=EK(DNON-1) MAC is ON or a part of it, e.g., its 32 leftmost bits

April 18, 2006

11

III. Authentication based on hash functions

A fixed-length hash value h is generated by a function H that takes as input a message of arbitrary length: h=H(M)
A sends M and H(M) B authenticates the message by computing H(M) and checking the match

Requirements for a hash function

H can be applied to a message of any size H produces fixed-length output Computationally easy to compute H(M) Computationally infeasible to find M such that H(M)=h, for a given h Computationally infeasible to find M such that H(M)=H(M), for a given M Computationally infeasible to find M,M with H(M)=H(M) (to resist to birthday attacks)

Note: the hash function is not considered secret some other means are required to protect it Note 2: Hash function plus secrecy (key) gives a MAC these are called HMACs

April 18, 2006

12

Basic uses of hash functions

a.

Classical encryption of message+hash Only the hash value is encrypted As in (b) but with public key (provides digital signature)

b.

c.

April 18, 2006

13

Basic uses of hash functions

d.

Hash is encrypted with an asymmetric system, then a second encryption is applied No encryption here but the hash is applied to a message where a secret text S has been appended As in (e), but with encryption

e.

f.

April 18, 2006

14

Basic uses of hash functions

April 18, 2006

15

A few simple hash functions

Bit-by-bit XOR of plaintext blocks: h= D1 D2 DN

Provides a parity check for each bit position Not very effective with text files: most significant bit always 0 Attack: to send blocks X1, X2, , XN-1, choose XN=X1 X2 XN-1 h It does not help if (only) the hash is sent encrypted!

Another example: rotated XOR before each addition the hash value is rotated to the left with 1 bit
Better than the previous hash on text files Similar attack

Another technique: cipher block chaining technique without a secret key

Divide message into blocks D1, D2,,DN and use them as keys in the encryption method (e.g., DES) H0=some initial value, Hi=EDi(Hi-1) H=HN This can be attacked with the birthday attack if the key is short (as in DES)
April 18, 2006 16

Birthday paradox
Given at least 23 people, the probability of having two people with the same birthday is more then 0.5 Related problem: Given two sets X,Y each having k elements from the set {1,2,,N}, how large should k so that the probability that X and Y have a common element is more than 0.5?
Answer: k should be larger than the square root of N If N=2m, take k=2m/2

April 18, 2006

17

Birthday attack
Suppose a hash value on 64 bits is used (as the one based on DES)
In principle this is secure: to find a message M with H(M)=H(M), one apparently has to generate in average 263 messages M

A different much more effective attack is possible

A is prepared to sign the document by appending its hash value (on m bits) and then encrypting the hash code with its private key E will generate 2m/2 variations of the message M and computes the hash values for all of them E also generates 2m/2 variations of the message M that she would really like to have A authenticating and computes the hash values for all of them By the birthday paradox, the probability that the two sets of hash values have one element in common is more than 0.5 she finds M and M with the same hash values (messages expressing totally different things!) E will offer M to A for hashing and then signing E will send instead M with the signature A has produced E breaks the protocol although she does not know As private key! Level of effort for the hash based on DES: 233

April 18, 2006

18

Example of composing variations to a message

{This letter is / I am writing} to introduce {you to / to you} {Mr. / } Alfred {P. / } Barton, the {new / newly appointed} {chief / senior} jewelry buyer for {our / the} Northern {European / Europe} {area / division}. He {will take /has taken} over {the / } responsibility for {all / the whole of} our interests in {watches and jewelry / jewelry and watches} in the {area/region}.

April 18, 2006

19

Two popular hash algorithms

MD5 SHA-1

April 18, 2006

20

MD5
Most popular hash algorithm until very recently concerns for its security were raised and was proposed to be replaced by SHA-1 Developed by Rivest at MIT For a message of arbitrary length produces an output of 128 bits
Processes the input in blocks of 512 bits

Idea:
Start by padding the message to a length of 448 bits modulo 512 padding is always added even if the message is of required length; the length of the message is added on 64 bits so that altogether the length is a multiple of 512 bits Several rounds, each round takes a block of 512 bits from the message and mixes it thoroughly with a 128 bit buffer that was the result of the previous round The last content of the buffer is the hash value

April 18, 2006

21

MD5

April 18, 2006

22

MD5 the algorithm

Padding: add a bit 1 followed by the necessary number of bits 0 Append length the length is represented on 64 bits

1. 2.

If the length is larger than 264, take the 64 least representative bits

3.

4.

Initialize MD buffer with the following 4 values, all on 32 bits: A=0x01234567, B=0x89ABCDEF, C=0xFEDCBA98, D=0x76543210 Process each message block of 512 bits in 4 rounds

Each round takes as input the 512 bits in the input and the content of the buffer ABCD and updates the buffer ABCD (details on the next slide) The four words A,B,C,D in the output of the 4th round are added modulo 232 to the corresponding words A,B,C,D of the input to the first round

5.

Output: the 128 bits in the buffer ABCD after the last round

April 18, 2006

23

MD5 processing of a single 512-bit block

Each round has 16 steps T is a table F,G,H,I are Boolean functions (tables) on B,C,D (bit-by-bit operations) X has the current 32 bits of the message
The message has 512 bits, i.e., 16 blocks of 32 bits Each of the 16 blocks is used exactly once in each round Round 1: used in consecutive order Round 2: used in the order (1+5i) mod 16, i=0,,15 Round 3: used in the order (5+3i) mod 16, i=0,,15 Round 4: used in the order 7i mod 16, i=0,,15

April 18, 2006

24

One single step in MD5

All operations here are on blocks of 32 bits T is a table g is one of the functions F,G,H,I (bit-wise function) X has the current 32 bits of the message CLSs is a circular left shift (rotation) with s bits + is addition modulo 232

April 18, 2006

25

Table T and truth table of F,G,H,I

April 18, 2006

26

Strength of MD5
Every bit of the output is a function of all bits of the input Rivests conjecture:
As strong as it can be for a 128-bit hash: birthday attack on the order of 264 and finding a message with a given digest is on the order of 2128

If MD5 is restricted to any of its 4 rounds, then it can be broken

No successful attack on the full algorithm but considered vulnerable

April 18, 2006

27

Secure Hash Algorithm (SHA)

Developed by NSA and adopted by NIST in FIPS 180-1 (1993)
SHA-1 specified in RFC 3174 contains a C code implementation

Design based on MD4 (previous version of MD5) Takes as input any message of length up to 264 bits and gives a 160-bit message digest Same structure as MD5, with block length of 512 bits and buffer of 160 bits

April 18, 2006

28

SHA-1 scheme

1.

2.

3.

4.

Append padding bits: message is padded so that length is congruent to 448 modulo 512; padding always added one bit 1 followed by the necessary number of 0 bits Append length: a block of 64 bits containing the length of the original message is added Initialize 160-bit MD buffer: this is formed by 32-bit registers A,B,C,D,E. Initial values: A=0x67452301, B=0xEFCDAB89, C=0x98BADCFE, D=0x10325476, E=C3D2E1F0 Process message in blocks of 512 bits (i.e., 16 words of 32 bits each)

Four rounds with 20 steps each (on next slide) Each round takes as input the current 512-bit input block and the 160-bit buffer ABCDE and updates the buffer there is an addition modulo 232

5.

Output: the final content of the buffer gives the message digest

April 18, 2006

29

SHA-1 processing of a single 512-bit block

Each round has 20 steps f1,,f4 are Boolean functions (tables) on b,c,d K is a constant changing in each round: o K1=0x5A827999, K2=0x6ED9EBA1, o K3=0x8F1BBCDC, K4=0xCA62C1D6 W[t] is a 32-bit block derived from the current 512-bit input, changing in every step
show later how W is generated

April 18, 2006

30

One single step in SHA-1

ft is one of the functions f1,f4 on B,C,D Sk is a circular left shift by k bits W is a 32-bit block derived from the current 512-bit input, changing in every step K is the constant defined earlier Addition is modulo 232

April 18, 2006

31

Truth tables for functions f1,,f4

April 18, 2006

32

Generating the 32-bit words Wt from the input

Wt=Xt, for 0t 15, where X is the input Wt=S1(Wt-16Wt-14 Wt-8 Wt-3), for t16

April 18, 2006

33

Strength of SHA-1
Stronger than MD5 because of longer message digest Slower than MD5 because of more rounds No known attacks
Secret design criteria

Variants of SHA-1 with longer message digests have also been proposed: SHA-256, SHA-384, SHA-512 (n-bit hash for SHA-n)

April 18, 2006

34

HMAC
Interest in recent years in developing a MAC based on a hash function
MD5 and SHA-1 run faster than symmetric block ciphers such as DES Code for hash functions widely available No export restrictions for cryptographic hash functions
Cryptographic functions (even those used in MAC) restricted

Hash values not intended for MAC they are not protected by secret keys
Some protection needs to be built on top of the hash value

The one approach that gained wide support is HMAC (RFC 2104) included in IP security and SSL Requirements for HMAC
Use existing hash functions The hash function can be easily replaced by another one treat the hash function as a black box Preserve the performance of the hash function Use and handle keys in a simple way Well understood cryptographic analysis of the strength of the authentication mechanism

April 18, 2006

35

HMAC algorithm
Idea: append a secret key to the message and compute the hash value
To avoid a brute-force attack, apply the hash twice to mangle thoroughly the bits of the key with those of the message

H=embedded hash function IV=initial value to the has function M=message input to HMAC (including the padding specific to the hash function) Yi=i-th block of M L=number of blocks in M b=number of bit sin a block n=length of the hash code K=secret key, if its length is greater than b will be given as input to the hash function to produce n-bit key K+=K padded with 0 on the left to make a b-bit key, if the original length of K is smaller than b ipad=0x36 repeated b/8 times opad=0x5C repeated b/8 times

HMACK(M)=H[ (K+ opad) || H[(K+ ipad) || M] ]

April 18, 2006 36

HMAC algorithm
H=embedded hash function IV=initial value input to hash function M=message input to HMAC (including the padding specific to the hash function) Yi= the i-th block of M L=number of blocks in M b=number of bits in a block n=length of hash code produced by the embedded hash function K=secret key, if its length is greater than b will be given as input to the hash function to produce n-bit key K+=K padded with 0 on the left to make a b-bit key, if the original length of K is smaller than b ipad=0x36 repeated b/8 times opad=0x5C repeated b/8 times HMACK(M)=H[ (K+ opad) || H[(K+ ipad) || M] ]

April 18, 2006

37

Strength of HMAC
Brute-force attack requires an effort on the level 2n-1 for a key of length n Birthday attack
The main idea in this attack is that Eve can compute the hash values of many messages and try to find a match In HMAC she is unable to do that because the hash is protected by a secret key Eve will have to rely on messages that she observes on the link: for MD5 she will have to wait in average for 264 messages generated using the same key
On a 1 Gbps-link she needs to observe a continuous stream of messages with no change in the key for about 250 000 years With SHA-1 280 messages are needed For HMAC, using MD5 is secure (and fast)

April 18, 2006

38