Message Authentication and Hash
Functions





Authentication Requirements
Authentication Functions
Message Authentication Codes
Hash Functions
Security of Hash Functions and
MACs
1
Authentication Requirements

Kind of attacks (threats) in the context of
communications across a network
1.
2.
3.
4.
5.
6.
7.

Measures to deal with first two attacks:


In the realm of message confidentiality, and are addressed with
encryption
Measures to deal with items 3 thru 6


Disclosure
Traffic analysis
Masquerade
Content modification
Sequence modification
Timing modification
Repudiation
Message authentication
Measures to deal with items 7

Digital signature
2
Authentication Requirements

Message authentication
 A procedure
to verify that messages come from
the alleged source and have not been altered
 Message authentication may also verify
sequencing and timeliness

Digital signature
 An
authentication technique that also includes
measures to counter repudiation by either source
or destination
3
Authentication Functions
Authentication Functions

Message authentication or digital signature mechanism
can be viewed as having two levels


At lower level: there must be some sort of functions producing
an authenticator – a value to be used to authenticate a
message
This lower level functions is used as primitive in a higher level
authentication protocol
4
Authentication Functions
Authentication Functions

Three classes of functions that may be used to produce
an authenticator
 Message encryption

Ciphertext itself serves as authenticator
 Message authentication code (MAC)
 A public function of the message and a secret key that
produces a fixed-length value that serves as the
authenticator
 Hash function
 A public function that maps a message of any length into a
fixed-length hash value, which serves as the authenticator
5
Authentication Functions
Message Encryption

Conventional encryption can serve as
authenticator
 Conventional
encryption provides authentication as
well as confidentiality
 Requires recognizable plaintext or other structure to
distinguish between well-formed legitimate plaintext
and meaningless random bits

e.g., ASCII text, an appended checksum, or use of layered
protocols
6
Authentication Functions
Basic Uses of Message Encryption
7
Authentication Functions
Ways of Providing Structure
• Append an error-detecting code (frame check
sequence (FCS)) to each message
8
Authentication Functions
Ways of Providing Structure - 2
• Suppose all the datagrams except the IP header is
encrypted.
• If an opponent substituted some arbitrary bit pattern for
the encrypted TCP segment, the resulting plaintext
would not include a meaningful header
9
Authentication Functions
Confidentiality and Authentication Implications
of Message Encryption
10
Authentication Functions
Message Authentication Code



Uses a shared secret key to generate a fixedsize block of data (known as a cryptographic
checksum or MAC) that is appended to the
message
MAC = CK(M)
Assurances:
 Message
has not been altered
 Message is from alleged sender
 Message sequence is unaltered (requires internal
sequencing)

Similar to encryption but MAC algorithm needs
not be reversible
11
Authentication Functions
Basic Uses of MAC
12
Authentication Functions
Basic Uses of MAC
13
Authentication Functions
Why Use MACs?
 i.e.,






why not just use encryption?
Cleartext stays clear
MAC might be cheaper
Broadcast
Authentication of executable codes
Architectural flexibility
Separation of authentication check from
message use
14
Authentication Functions
Hash Function


Converts a variable size message M into
fixed size hash code H(M) (Sometimes called
a message digest)
Can be used with encryption for
authentication
 E(M
|| H)
 M || E(H)
 M || signed H
 E( M || signed H ) gives confidentiality
 M || H( M || K )
 E( M || H( M || K ) )
15
Authentication Functions
Basic Uses of Hash Function
16
Authentication Functions
Basic Uses of Hash Function
17
Authentication Functions
Basic Uses of Hash Function
18
MACs
Message Authentication Codes

MAC= CK(M)

Key length requirements
 Sufficient
key length to thwart brute force attack
19
Hash Functions
Hash Functions





h = H(M)
M is a variable-length message, h is a fixedlength hash value, H is a hash function
The hash value is appended at the source
The receiver authenticates the message by
recomputing the hash value
Because the hash function itself is not
considered to be secret, some means is
required to protect the hash value
20
Hash Functions
Hash Function Requirements
1.
2.
3.
4.
5.
6.
H can be applied to any size data block
H produces fixed-length output
H(x) is relatively easy to compute for any given x
H is one-way, i.e., given h, it is computationally
infeasible to find any x s.t. h = H(x)
H is weakly collision resistant: given x, it is
computationally infeasible to find any y  x s.t. H(x)
= H(y)
H is strongly collision resistant: it is computationally
infeasible to find any x and y s.t. H(x) = H(y)
21
Hash Functions
Hash Function Requirements



One-way property is essential for
authentication
Weak collision resistance is necessary to
prevent forgery
Strong collision resistance is important for
resistance to birthday attack
22
Hash Functions
Simple Hash Functions

Operation of hash functions



The input is viewed as a sequence of n-bit blocks
The input is processed one block at a time in an iterative fashion
to produce an n-bit hash function
Simplest hash function: Bitwise XOR of every block

Ci = bi1  bi2  …  bim




Ci = i-th bit of the hash code, 1  i  n
m = number of n-bit blocks in the input
bij = i-th bit in j-th block
Known as longitudinal redundancy check
23
Hash Functions
Simple Hash Functions
• Improvement over the simple
bitwise XOR
– Initially set the n-bit hash value to zero
– Process each successive n-bit block of data as
follows
» Rotate the current hash value to the left by
one bit
» XOR the block into the hash value
24
Birthday Attack
Birthday Attack






If the adversary can generate 2m/2 variants of a valid
message and an equal number of fraudulent
messages
The two sets are compared to find one message from
each set with a common hash value
The valid message is offered for signature
The fraudulent message with the same hash value is
inserted in its place
If a 64-bit hash code is used, the level of effort is only
on the order of 232
Conclusion: the length of the hash code must be
substantial
25
Birthday Attack
Generating 2m/2 Variants of Valid Messages
• Insert a number of
“space-backspace-space”
character pairs between
words throughout the
document.
Variations could then be
generated by substituting
“space-backspace-space”
in selected instances
• Alternatively, simply
reword the message but
retain the meaning
26
Security of Hash Functions and MACs
Brute-Force Attack of Hash Functions

Three desirable properties of hash functions




One-way: For any given code h, it is computationally infeasible to
find x s.t. H(x) = h
Weak collision resistance: For any given block x, it is
computationally infeasible to find y  x s.t. H(y) = H(x)
Strong collision resistance: It is computationally infeasible to find
any pair (x, y) s.t. H(y) = H(x)
Brute-force attack on n-bit hash code




One-way and weak collision require 2n effort
Strong collision requires 2n/2 effort
 If strong collision resistance is required (and this is desirable
for a general-purpose secure hash code), 2n/2 determines the
strength of hash code against brute-force attack
Currently, two most popular hash codes, SHA-1 and RIPEMD160, provide a 160-bit hash code length
27