Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security Message authentication • • message authentication is concerned with: protecting the integrity of a message validating identity of originator protecting the order or timeliness of a message message authentication deals with these attacks: • In this lecture, we consider three alternative functions used for msg. auth.: • masquerade content modification sequence modification timing modification message encryption message authentication code (MAC) hash function and some requirements for designing MAC codes Message encryption provides some authentication if symmetric encryption is used: receiver knows sender must have created msg, since only sender&receiver know key know content has not been altered if public-key encryption is used: encryption provides no confidence of sender identity, since potentially every one knows public-key however, if sender signs message using their private-key then encrypts with recipients public key we have both secrecy and authentication again need to recognize corrupted messages, but at cost of two public-key uses on message Rejecting gibberish when using symmetric encryption • • • If every ciphertext value corresponds to some plaintext value, adversary can fool receiver into accepting gibberish An automatic means to detect whether an incoming ciphertext decrypts to some meaningful plaintext is desirable, but difficult Solution is to give some structure to the plaintext: example: use checksums to separate meaningful text from gibberish but checksum must be internal to ciphertext (why?) particular choice of structure does not matter: e.g. use with TCP headers Checksums • • Internal versus External IP packets: encrypt entire TCP packet; TCP header contains checksum Message authentication code (MAC) MAC • generated by an algorithm that creates a small fixed-sized block depending on both the message and the key like encryption, but need not be reversible though • • • • appended to message receiver performs same computation on message & checks it matches MAC provides assurance that message is unaltered & comes from sender, per se does not provide encryption or signature so, why use a MAC? sometimes only authentication is needed authentication may be needed longer than encryption (e.g. archival use) broadcast: only one needs to check, or optional check: now or later MAC properties • a MAC is a cryptographic checksum MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator • is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult A brute force attack on MAC • On average, brute-force attack on k-bit key is O(2k-1 ) • With m-bit MAC, say m < k, given plaintext P and ciphertext C brute-force search of all 2k keys, will still yield 2k / 2m plausible keys this can be iterated with more plaintexts until the key if found, but remains an expensive process Requirements for MACs • taking into account other types of attacks, we need the MAC to satisfy the following: 1. knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits/parts of the message Using symmetric ciphers for MACs • • can use any block cipher chaining mode and use final block as a MAC Data Authentication Algorithm (DAA) is a widely used MAC based on DES-Cipher Block Chaining using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC or the leftmost M bits (16≤M≤64) of final block • but final MAC is now too small for security More recent symmetric cipher options • • • Use AES instead of DES CBC mode requires final encryption with a second, independent key to avoid extension attacks Digression: NMAC (nested MAC) alternative Output in key space, unlike CBC output in message space Cascade function, but not well suited for AES Needs padding with fixed pad, and encryption with second, independent key • How padding works CMAC: NIST standard, CCM mode, uses two keys wrt pad/not Message authentication via hash functions + digital signature also Message authentication via hash functions (contd.) • Secret value is added before hashing and then removed before transmission Message authentication via hash functions Note: In scheme (c) hashing M || S is more secure than hashing S || M • • given the iterative structure of hash functions, adversary could extend M with M||X and generate new hash Diffusing S in the hash of M and S can be achieved by using HMAC Keyed hash functions as MACs • desirable to create a MAC using a hash function rather than a block cipher because hash functions are generally faster not limited by export controls unlike block ciphers • hash includes a key along with the message • original proposal: KeyedHash = Hash(Key|Message) • some weaknesses were found with this eventually led to development of HMAC HMAC • specified as Internet standard RFC2104 • uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] • where K+ is the key padded out to size and opad, ipad are specified padding constants overhead is just 3 more hash calculations than the message needs alone • can use MD-5 or SHA-1 HMAC overview HMAC security • • security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages) • choose hash function based on speed vs. security constraints