Message Authentication Code
advertisement
Chapter - 3 PUBLIC-KEY CRYPTOGRAPHY AND MESSAGE AUTHENTICATION 3.1 Approaches to Message Authentication • We can protects our data from passive attacks using Encryption. • But now how we can protects data from active attacks. • So that protection against such attacks is known as message authentication. • Message authentication is a procedure that allows communicating parties to verify that received messages are authentic. Cont... • The two important aspects are to verify that the contents of the message have not been altered and that the source is authentic. 1. Authentication Using Conventional Encryption : • It would seem possible to perform authentication simply by the use of symmetric encryption. Cont... – sender and receiver share a key. – If the message includes an error-detection code and a sequence number, the receiver is assured that no alterations have been made and sequencing is proper. – If the message also includes a timestamp.. • In fact, symmetric encryption alone is not a suitable tool for data authentication. • Example, in the ECB mode of encryption Cont... 2. Message Authentication without Message Encryption • Message authentication without message encryption is not dependent on the Encryption fundamental but it is dependent on the Authentication tag. • Authentication tag is generated and appended to each message for transmission. • The message itself is not encrypted and can be read at the destination independent of the authentication function at the destination. Cont... • Here message confidentiality is not provided because message is not in encrypted form. • However, it is possible to combine authentication and confidentiality in a single algorithm by encrypting a message plus its authentication tag. • Message authentication is provided as a separate function from message encryption. Cont... • Three situations in which message authentication without confidentiality is preferable: 1. There are a number of applications in which the same message is broadcast to a number of destinations. – For example notification to network is now unavailable. users that the Cont... 2. Another possible scenario is an exchange in which one side has a heavy load and cannot afford the time to decrypt all incoming messages. 3. Authentication of a computer program in plaintext is an attractive service. – The computer program can be executed without having to decrypt it every time, which would be wasteful of processor resources. Message Authentication Code • Calculate the MAC as a function of the message and the key. MAC = F(K, M) Message Authentication Code • This techniques invokes the use of secret key to generate small block of data known as message authentication code that is appended to the message. • If we assume that only the receiver and the sender know the identity of the secret key, and if the received code matches the calculated code, then the given statements apply: Cont... i. The receiver is assured that the message has not been altered. ii. The receiver is assured that the message is from the alleged sender. Because no one else knows the secret key. iii. If the message includes a sequence number then the receiver can be assured of the proper sequence. One – Way Hash Function One – Way Hash Function • One-way hash function is an alternative to Message Authentication Code. • As with the message authentication code, a hash function accepts a variable-size message M as input and produces a fixed-size message digest H(M) as output. • A hash function does not take a secret key as input just like MAC. Using Conventional Encryption • This is the first way through which we can authenticates our message. • The message digest can be encrypted using conventional encryption. • If it is assumed that only the sender and receiver share the encryption key then authenticity is assured. Using public key Encryption Using public key Encryption • Two advantages of using public key encryption.... 1. It provides a digital signature as well as message authentication. 2. It does not require the distribution of keys to communicating parties. Using secret value Using secret value • Here hash function is used but no encryption for message authentication. • This will assume that two communicating parties, say A and B, share a common secret value S-AB. • When A has a message to send B, it calculate the hash function over the concatenation of secret value and the message : MDm=H(Sab||M) and verify MDm. Cont... • Because the secret value itself is not sent. • It is not possible for an attacker to modify an intercepted message. • As long as the secret value remains secret it is not possible for an attacker to generate a false message. 3.2 Secure Hash Function • Secure hash function is very important for the message authentication and digital signature. • Digital Signature : prove identity of the sender and provides data integrity. • Data Integrity : ensure that received data is same as sent by sender. Hash function Requirements • The purpose of a hash function is to produce a fingerprint of file, message or other block of data. • Properties of H hash function.... 1. H can be applied to any block of data. 2. H produces a fix length output. 3. H(x) is relatively easy to compute for any given size x. Note : first three properties are requirements for the practical application of hash function. Cont... 4. For any given code h, it is computationally infeasible to find x such that H(x)=h. So it is also known as one-way property. Note : the forth property says that generates code from message is easy but to generates message from code is impossible. 5. For any given block x, it is computationally infeasible to find y != x with H(y)=H(x). Cont... 6. It is computationally in feasible to find any pair (x,y) such that H(x)=H(y). If this property is not true an attacker would be capable of... 1. Observe a message plus its encrypted hash code. 2. Generate an unencrypted hash code from the message. 3. Generate an alternate message with the same hash code. Simple hash functions • All the hash functions operates using following general principles... Ci= bi1 XOR bi2 XOR.....XOR bim • Here, input is viewed as a sequence of n-bit blocks. • Input is processed one blocks at a time in an interactive fashion to produce an n-bit hash function. Cont... • Simplest hash functions is the bit-by-bit XOR of every block. E.g. Ci= bi1 XOR bi2 XOR... XOR bim Bit 1 Bit 2 ....... Bit n Block 1 B11 B21 ...... Bn1 Block 2 B12 B22 ....... Bn2 . . . , . . . . . . Block m B1m B2m ..... Bnm Hashcode C1 C2 cn Process how to generate Hash Code (c) • Suppose message consisting of a sequence of 64-bit blocks. – X1, x2, x3...., xn – It define the hash code C as the block-by-block XOR or all blocks append the hash code as final block. – C = XN+1 = x1 EXOR x2 XOR ...XOR XN – X1= IV XOR D(K,y1) – X2= y1XOR D(K,y2) .... – Xi= yi-1 XOR D(k,yi) – XN+1=YN XOR D(K,YN+1) The SHA secure Hash function • SHA was developed by NIST and published as a Federal Information Processing Standard (FIPS 180) in 1993. • When weaknesses were discovered in SHA revised version was issued as FIPS 180-1 in 1995 and it is referred to as SHA – 1. • SHA is based on the hash function MD4 and it is closely design models to MD4. Comparison of SHA Parameters What is MD4 ?? • MD4 is an earlier version of MD5, an algorithm used to verify data integrity through the creation of a 128-bit message digest from data input (which may be a message of any length). • That is claimed to be as unique to that specific data as a fingerprint is to the specific individual. What is Message Digest ?? • Message Digest are commonly 128 bits to 160 bits in length and provide a digital identifier for each digital file or documents. • It is mathematical function that process information to produce a different message digest for unique document. Message Digest Generation Using SHA-512 Step -1 Append padding bit. – In this if we want to pad the bit at that time first bit should be 1 and all other are 0 – For example : 10000.. Step -2 Append length. – In this a block of 128 bits is appended to the message. – It contains the length of the original message and it is in the form of unsigned 128-bit integer. (before padding) Cont… Step -3 Initialize hash buffer. – The buffer can be represented as eight 64-bit register. so the size of buffer is 512=64*8. – This buffer is used to hold intermediate and final result of the hash function. Step -4 Process message in 1024-bit blocks – Here, each block is pass from 80 rounds. – Each round takes as input the 512-bit buffer value such as a, b, c, d, e, f, g, h and updates the content of the buffer. – Round – 0 is hash buffer. – In next select 64 bit word from the message as random manner (first 80 prime numbers) – Here we have to also apply key in each round. – And this process is continues up to Round – 80. – Then the output of the 80th round is added to the input to the for 1st round (Hi-1) to produce H1. Cont… Step -5 Output – Now it will generates 512 –bit message digest. Figure 3.4 Message Digest Generation Using SHA-512 Figure 3.5 SHA-512 Processing of a Single 1024-Bit Block 3.3 Message Authentication Codes • In cryptography, a hash message authentication code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. • It may be used to verify both the data integrity and the authentication of a message. Cont… • Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. • HMAC is used in Internet Protocols such as Transport Layer Security (TLS) and Secure Electronic Transaction (SET). HMAC design objective • RFC 2104 lists the following design objective for HMAC.. 1. To use available hash function without modification. 2. To allow for easy replacements of the embedded hash function. 3. To preserve the original performance of the Hash function. Cont… 4. To have a well-understood cryptographic analysis. HMAC algorithm Process of HMAC is define as follows.. Step -1 Append zero to the left end of K to create a b-bit string K+ Note : K is secret key. e.g. k is length of 160 bits b is length of 512 bits k will be appended to 44 zeros bytes. Step -2 XOR K+ with ipad to produce the b-bit block si. Cont… Step - 3 Append M to si. Note : M is message input to HMAC. Step - 4 Now apply H to the stream generated in step-3. Step – 5 XOR K+ with opad to produce the b-bit block s0 . Cont… Step -6 Append the hash result from Step-4 to s0. Step -7 Apply H to the stream generated in step -6 and output the result. MACs Based on Block Ciphers Process of calculating Message Authentication Code (T) • There is two approaches for it... 1. Message length is integer multiple of block size. 2. Message length is not integer multiple of block size. Cont... Terminology used... • B=block length/size i.e. AES, b=128 bits 3DES, b=64 bits • Now message is divided into n blocks (M1, M2, M3,.....Mn) • K means key i.e. AES k=128,192,256 3DES k=112 or 168 • K1 suppose message is divided into 4 block Cont... How CMAC is calculated c1=E(k,M1) c2=E(k,[M XOR c1]) c3=E(k,[M XOR c2]) : cn=E(k,[Mn XOR Cn-1 XOR k1]) MSBTlen(Cn) CMAC Counter with Cipher Block Chaining MAC • The CCM mode of operation defined in NIST SP 800-38c • It is referred to as authentication encryption mode. • It is referred to authenticated encryption mode. • CCMAES, CTR, CMAC Cont... • The input to the CCM encryption process consists of three elements..... 1. Data that will be both authenticated and encrypted. – It means this is the paintext message P of data block. 2. Associated data A that will be authenticated but not encrypted. Cont... 3. A None N that is assigned to the payload and associated data. – Nonce is unique value that is different for every instance during the lifetime of a protocol association. Cont... Cont... • Blocks of B0 through Br • First block contains the none plus some formatting bits that indicate the length of the N. – First block=none+some formatting bits (P, N, A). – Second block will store A. – Third block will store P. Cont... • Now resulting sequence of blocks serves as input to the CMAC algorithm. • Now we will get MAC with length Tlen. • And Tlen is less than or equal to the block length. 3.4 PUBLIC-KEY CRYPTOGRAPHY PRINCIPLES Public-Key Encryption Structure : • Public-key encryption, first publicly proposed by Diffie and Hellman in 1976. • Public-key algorithms are based on mathematical functions. • public-key cryptography is asymmetric, involving the use of two separate keys. • The use of two keys has profound consequences in the areas of confidentiality, key distribution, and authentication. Public key cryptography Cont... Summary A B Confidentiality Confidentiality E(Pu b,PlainText) D(Pr b,ciphertext) Authenticity Authenticity E(Pr A,PlainText) D(Pu A,CipherText) Both Both E(Pu b,E(PrA,plaintext)) D(Pr b,D(PuA,ciphertext)) public-key encryption scheme has six ingredients • See Figure 3.9a • Plaintext: This is the readable message or data that is fed into the algorithm as input. • Encryption algorithm: The encryption algorithm performs various transformations on the plaintext. Cont... • Public and private key: This is a pair of keys that have been selected so that if one is used for encryption, the other is used for decryption. • The exact transformations performed by the encryption algorithm depend on the public or private key that is provided as input. Cont... • Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the key. • For a given message, two different keys will produce two different ciphertexts. • Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the original plaintext. How public key cryptography work ?? • As the names suggest, the public key of the pair is made public for others to use, while the private key is known only to its owner. • A general-purpose public-key cryptographic algorithm relies on one key for encryption and a different but related key for decryption Steps Step -1 Each user generates a pair of keys to be used for the encryption and decryption of messages. Step – 2 Each user places one of the two keys in a public register or other accessible file. This is the public key. The companion key is kept private. As Figure 3.9a suggests,each user maintains a collection of public keys obtained from others. Cont... Step- 3 If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice’s public key. Step-4 When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt the message because only Alice knows Alice’s private key. Applications for Public-Key Cryptosystems 1. Encryption/decryption: • The sender encrypts a message with the recipient’s public key. 2. Digital signature: • The sender “signs” a message with its private key. • Signing is achieved by a cryptographic algorithm applied to the message or to a small block of data that is a function of the message. Cont... 3. Key exchange: • Two sides cooperate to exchange a session key. • Several different approaches are possible, involving the private key(s) of one or both parties. Requirement of the public key cryptographer 1. It is computationally easy for a party B to generate a pair (public key PUb, private key PRb). 2. It is computationally easy for a sender A, knowing the public key and the message to be encrypted, M, to generate the corresponding ciphertext: C = E(PUb,M) Cont... 3. It is computationally easy for the receiver B to decrypt the resulting ciphertext using the private key to recover the original message: M = D(PRb, C) = D[PRb, E(PUb,M)] 4. It is computationally infeasible for an opponent, knowing the public key, PUb, to determine the private key, PRb. Cont... 5. It is computationally infeasible for an opponent, knowing the public key, PUb, and a ciphertext, C, to recover the original message, M. 6. Either of the two related keys can be used for encryption, with the other used for decryption. M = D[PUb, E(PRb,M)] = D[PRb, E(PUb,M)] 3.6 DIGITAL SIGNATURES • Suppose that Bob wants to send a message to Alice, and although it is not important that the message be kept secret, he wants Alice to be certain that the message is indeed from him. • In this case, Bob uses his own private key to encrypt the message. • When Alice receives the ciphertext, she finds that she can decrypt it with Bob’s public key, thus proving that the message must have been encrypted by Bob. Cont... • No one else has Bob’s private key, and therefore no one else could have created a ciphertext that could be decrypted with Bob’s public key. • Therefore, the entire encrypted message serves as a digital signature. • In addition, it is impossible to alter the message without access to Bob’s private key, so the message is authenticated both in terms of source and in terms of data integrity. 3.5 PUBLIC-KEY CRYPTOGRAPHY ALGORITHMS The RSA Public-Key Encryption Algorithm • One of the first public-key schemes was developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT and first published in 1978. • RSA is a block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n.
