Data Refinement

advertisement
Lecture 2: Message Authentication
Anish Arora
CSE5473
Introduction to Network Security
Message authentication
•
•
message authentication is concerned with:

protecting the integrity of a message

validating identity of originator

protecting the order or timeliness of a message
message authentication deals with these attacks:




•
In this lecture, we consider three alternative functions used for msg. auth.:



•
masquerade
content modification
sequence modification
timing modification
message encryption
message authentication code (MAC)
hash function
and some requirements for designing MAC codes
Message encryption provides some authentication
if symmetric encryption is used:

receiver knows sender must have created msg, since only sender&receiver know key

know content has not been altered
if public-key encryption is used:

encryption provides no confidence of sender identity, since potentially every one
knows public-key

however, if
 sender signs message using their private-key
 then encrypts with recipients public key
 we have both secrecy and authentication

again need to recognize corrupted messages, but at cost of two public-key uses on
message
Rejecting gibberish when using symmetric encryption
•
•
•
If every ciphertext value corresponds to some plaintext
value, adversary can fool receiver into accepting gibberish
An automatic means to detect whether an incoming
ciphertext decrypts to some meaningful plaintext is
desirable, but difficult
Solution is to give some structure to the plaintext:
 example:
 use checksums to separate meaningful text from gibberish
 but checksum must be internal to ciphertext (why?)
 particular choice of structure does not matter:
 e.g. use with TCP headers
Checksums
•
•
Internal versus External
IP packets: encrypt entire TCP packet; TCP header contains
checksum
Message authentication code (MAC)
MAC
•
generated by an algorithm that creates a small fixed-sized block
depending on both the message and the key
 like encryption, but need not be reversible though

•
•
•
•
appended to message
receiver performs same computation on message & checks it matches
MAC
provides assurance that message is unaltered & comes from sender,
per se does not provide encryption or signature
so, why use a MAC?
sometimes only authentication is needed
 authentication may be needed longer than encryption (e.g. archival use)


broadcast: only one needs to check, or optional check: now or later
MAC properties
•
a MAC is a cryptographic checksum
MAC = CK(M)
 condenses a variable-length message M
 using a secret key K
 to a fixed-sized authenticator
•
is a many-to-one function
 potentially many messages have same MAC
 but finding these needs to be very difficult
A brute force attack on MAC
•
On average, brute-force attack on k-bit key is O(2k-1 )
•
With m-bit MAC, say m < k,
 given plaintext P and ciphertext C brute-force search of all 2k
keys, will still yield 2k / 2m plausible keys
 this can be iterated with more plaintexts until the key if
found, but remains an expensive process
Requirements for MACs
•
taking into account other types of attacks, we need the
MAC to satisfy the following:
1.
knowing a message and MAC, is infeasible to find another
message with same MAC
2.
MACs should be uniformly distributed
3.
MAC should depend equally on all bits/parts of the message
Using symmetric ciphers for MACs
•
•
can use any block cipher chaining mode and use final
block as a MAC
Data Authentication Algorithm (DAA) is a widely used
MAC based on DES-Cipher Block Chaining
 using IV=0 and zero-pad of final block
 encrypt message using DES in CBC mode
 and send just the final block as the MAC
 or the leftmost M bits (16≤M≤64) of final block
•
but final MAC is now too small for security
More recent symmetric cipher options
•
•
•
Use AES instead of DES
CBC mode requires final encryption with a second,
independent key to avoid extension attacks
Digression: NMAC (nested MAC) alternative
 Output in key space, unlike CBC output in message space
 Cascade function, but not well suited for AES
 Needs padding with fixed pad, and encryption with second,
independent key
•
How padding works
 CMAC: NIST standard, CCM mode, uses two keys wrt pad/not
Message authentication via hash functions
+ digital
signature also
Message authentication via hash functions (contd.)
•
Secret value is added before hashing and then removed
before transmission
Message authentication via hash functions
Note: In scheme (c) hashing M || S is more secure than
hashing S || M
•

•
given the iterative structure of hash functions, adversary
could extend M with M||X and generate new hash
Diffusing S in the hash of M and S can be achieved by
using HMAC
Keyed hash functions as MACs
•
desirable to create a MAC using a hash function rather than a
block cipher

because hash functions are generally faster

not limited by export controls unlike block ciphers
•
hash includes a key along with the message
•
original proposal:
KeyedHash = Hash(Key|Message)

•
some weaknesses were found with this
eventually led to development of HMAC
HMAC
•
specified as Internet standard RFC2104
•
uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
•

where K+ is the key padded out to size

and opad, ipad are specified padding constants
overhead is just 3 more hash calculations than the message
needs alone
•
can use MD-5 or SHA-1
HMAC overview
HMAC security
•
•
security of HMAC relates to that of the underlying hash
algorithm
attacking HMAC requires either:
 brute force attack on key used
 birthday attack (but since keyed would need to observe a very
large number of messages)
•
choose hash function based on speed vs. security constraints
Download