Authentication

functions and Hash

functions
Fifth Edition
by William Stallings

Lecture slides by Lawrie Brown

 Hash Functions
 condenses arbitrary message to fixed size
h = H(M)
 usually assume hash function is public
 hash used to detect changes to message
 want a cryptographic hash function
 computationally infeasible to find data mapping
to specific hash (one-way property)
 computationally infeasible to find two data to
same hash (collision-free property)
Cryptographic Hash Function
 Hash Function Uses
 Message Integrity Check (MIC)
 send hash of message (digest)
 MIC always encrypted, message optionally
 Message Authentication Code (MAC)
 send keyed hash of message
 MAC, message optionally encrypted
 Digital Signature (non-repudiation)
 Encrypt hash with private (signing) key
 Verify with public (verification) key
 Hash Functions & Message
Authentication
Symmetric Key
Unkeyed Hash

a) Message
encrypted

b) Message
unencrypted
 Hash Functions & Message
Authentication
Symmetric Key
Keyed Hash

a) Message
unencrypted

d) Message
encrypted
Hash Functions & Digital
Signatures - PKCS
 Other Hash Function Uses
 pseudorandom function (PRF)
 Generate session keys, nonces
 Produce key from password
 Derive keys from master key cooperatively
 pseudorandom number generator
(PRNG)
 Vernam Cipher/OTP
 S/Key, proof of “what you have” via messages
 More Hash Function Uses
 to create a one-way password file
 store hash of password not actual password
 e.g., Unix, Windows NT, etc.
 salt to deter precomputation attacks
 Rainbow tables
 for intrusion detection and virus detection
 keep & check hash of files on system
 e.g., Tripwire
Lamport One-time Passwords
 Password safety in distributed system
 server compromise does not compromise P
 interception of authentication exchange does
not compromise password either
 Alice picks Password PA
 Hashes password N times, HN(PA)
 Server stores (Alice, N, HN(PA))
 Attacker can’t get PA from HN(PA)
Lamport One-time Passwords
 Protocol
 Alice sends “I’m Alice”
 Server sends “N-1”
 Alice sends “X” where X=HN-1(PA)
 Server verifies H(X) = HN(PA)
 Server updates to (Alice, N-1, X)
 Attacker still can’t get PA or
authenticate as Alice
 Two Simple Insecure Hash
Functions
 consider two simple insecure hash functions
 bit-by-bit exclusive-OR (XOR) of every block
 Ci = bi1 xor bi2 xor . . . xor bim
 a longitudinal redundancy check
 reasonably effective as data integrity check
 one-bit circular shift on hash value
 for each successive n-bit block
• rotate current hash value to left by1bit and XOR block
 good for data integrity but useless for security
Hash Function Requirements
 Attacks on Hash Functions
 have brute-force attacks and cryptanalysis
 a preimage or second preimage attack
 find y s.t. H(y) equals a given hash value
 collision resistance
 find two messages x & y with same hash so
H(x) = H(y)
 hence value 2m/2 determines strength of
hash code against brute-force attacks
 128-bits inadequate, 160-bits suspect
 Birthday Attacks
 might think a 64-bit hash is secure
 but by Birthday Paradox is not
 birthday attack works thus:
 given user prepared to sign a valid message x
 opponent generates 2m/2 variations x’ of x, all with
essentially the same meaning, and saves them
 opponent generates 2m/2 variations y’ of a desired
fraudulent message y
 two sets of messages are compared to find pair with
same hash (probability > 0.5 by birthday paradox)
 have user sign the valid message, then substitute the
forgery which will have a valid signature
 conclusion is that need to use larger MAC/hash
 Birthday Attacks
Find i and j
such that y y’1 y’2 … y’j … y’N
H(y’j)=H(x’i)
x ≠ ≠ ≠ ≠ ≠
Table takes x’1 ≠ ≠ ≠ ≠ ≠
O(N2) time x’2 ≠ ≠ ≠ ≠ ≠
Faster … …
x’i ≠ ≠ ≠ = ≠
Sorted lists
take O(NlogN) …
time x’N ≠ ≠ ≠ ≠ ≠
 Birthday Attacks
 What are chances we get a match?
 N distinct values, k randomly chosen ones
 P(N,i) = prob(i randomly selected values from
1..N have at least one match)
 P(N,2) = 1/N
 P(N,i+1) = P(N,i)+(1-P(N,i))(i/N)
 For P(N,k)>0.5, need k ≈ N1/2
 Need double # bits in hash value
 Hash Function Cryptanalysis
 cryptanalytic attacks exploit some property
of alg so faster than exhaustive search
 hash functions use iterative structure
 process message in blocks (incl length)
 attacks focus on collisions in function f
 Block Ciphers as Hash
Functions
 can use block ciphers as hash functions
 using H0=0 and zero-pad of final block
 compute: Hi = EMi [Hi-1]
 and use final block as the hash value
 similar to CBC but without a key
 resulting hash is too small (64-bit)
 both due to direct birthday attack
 and to “meet-in-the-middle” attack
 other variants also susceptible to attack
 Block Ciphers as Hash
Functions H
0

Block cipher key length B

Pad Message M to multiple of B M1 E
Break padded M into L blocks
L = |M|/B M2 E
M = M1 M2 … ML
Use blocks of M as keys in block
cipher, iteratively encrypt state value
starting with constant H0 resulting in ML E
hash value
HL
H = HL = E(ML,….E(M2,E(M1,H0))…)
 Secure Hash Algorithm
 SHA originally designed by NIST & NSA in 1993
 was revised in 1995 as SHA-1
 US standard for use with DSA signature scheme
 standard is FIPS 180-1 1995, also Internet RFC3174
 nb. the algorithm is SHA, the standard is SHS
 based on design of MD4 with key differences
 produces 160-bit hash values
 2005 results on security of SHA-1 raised
concerns on its use in future applications
 Revised Secure Hash
Standard
 NIST issued revision FIPS 180-2 in 2002
 adds 3 additional versions of SHA
 SHA-256, SHA-384, SHA-512
 designed for compatibility with increased
security provided by the AES cipher
 structure & detail is similar to SHA-1
 hence analysis should be similar
 but security levels are rather higher
SHA Versions
SHA-512 Overview
 SHA-512 Compression
Function
 heart of the algorithm
 processing message in 1024-bit blocks
 consists of 80 rounds
 updating a 512-bit buffer
 using a 64-bit value Wt derived from the
current message block
 and a round constant based on cube root of
first 80 prime numbers
SHA-512 Round Function
SHA-512 Round Function
 SHA-3
 SHA-1 not yet "broken”
 but similar to broken MD5 & SHA-0
 so considered insecure
 SHA-2 (esp. SHA-512) seems secure
 shares same structure and mathematical
operations as predecessors so have concern
 NIST announced in 2007 a competition for
the SHA-3 next gen NIST hash function
 Keccak winner Oct 2012 – std in Q2,2014
 SHA-3 Requirements
 replace SHA-2 with SHA-3 in any use
 so use same hash sizes
 preserve the online nature of SHA-2
 so must process small blocks (512 / 1024 bits)
 evaluation criteria
 security close to theoretical max for hash sizes
 cost in time & memory
 characteristics: such as flexibility & simplicity
 Summary
 have considered:
 hash functions
• uses, requirements, security
 hash functions based on block ciphers
 SHA-1, SHA-2, SHA-3
 Chapter 12 – Message
Authentication Codes
 At cats' green on the Sunday he took the message from
the inside of the pillar and added Peter Moran's name to
the two names already printed there in the "Brontosaur"
code. The message now read: “Leviathan to Dragon:
Martin Hillman, Trevor Allan, Peter Moran: observe and
tail.” What was the good of it John hardly knew. He felt
better, he felt that at last he had made an attack on Peter
Moran instead of waiting passively and effecting no
retaliation. Besides, what was the use of being in
possession of the key to the codes if he never took
advantage of it?
 —Talking to Strange Men, Ruth Rendell
 Road Map
 Topics
 message authentication requirements
 message authentication using encryption
 MACs
 HMAC authentication using a hash function
 Message Authentication
 message authentication is concerned with:
 protecting the integrity of a message
 validating identity of originator
 non-repudiation of origin (dispute resolution)
 will consider the security requirements
 then three alternative functions used:
 hash function (see Ch 11)
 message encryption
 message authentication code (MAC)
Message Security Requirements
 disclosure
 traffic analysis
 masquerade
 content modification
 sequence modification
 timing modification
 source repudiation
 destination repudiation
 Road Map
 Topics
 message authentication requirements
 message authentication using encryption
 MACs
 HMAC authentication using a hash function
 CMAC authentication using a block cipher
Symmetric Message Encryption
 encryption can also provides authentication
 if symmetric encryption is used then:
 receiver know sender must have created it
 since only sender and receiver know key used
 know content cannot have been altered...
 ... if message has suitable structure,
redundancy or a suitable checksum to detect
any changes
Public-Key Message Encryption
 if public-key encryption is used:
 encryption provides no confidence of sender
• since anyone potentially knows public-key
 however if
• sender signs message using their private-key
• then encrypts with recipients public key
• have both secrecy and authentication
 again need to recognize corrupted messages
 but at cost of two public-key uses on message
Public-Key Message Encryption
 Dirty little detail on PKCS
• Every time you encrypt, size expands
• Due to protections in PKCS#1
 So signing (by encryption) then encrypting,
the size is more than doubled!
 Road Map
 Topics
 message authentication requirements
 message authentication using encryption
 MACs
 HMAC authentication using a hash function
 CMAC authentication using a block cipher
 Message Authentication Code
(MAC)
 generated by an algorithm that creates a
small fixed-sized block
 depending on both message and secret key
 like encryption though need not be reversible
 appended to message as a “signature”
 receiver performs same computation on
message and checks it matches the MAC
 provides assurance that message is
unaltered and comes from sender
Message Authentication Code
 a small fixed-sized block of data
 generated from message + secret key
 MAC = C(K,M)
 appended to message when sent
 Message Authentication
Codes
 as shown the MAC provides authentication
 can also use encryption for secrecy
 generally use separate keys for each
 can compute MAC either before or after
encryption
 is generally regarded as better done before, but
see Generic Composition
 Message Authentication
Codes
 why use a MAC?
 sometimes only authentication is needed
 sometimes need authentication to persist longer
than the encryption (e.g. archival use)
 note that a MAC is not a digital signature
• Does NOT provide non-repudiation
 MAC Properties
 a MAC is a cryptographic checksum
MAC = CK(M)
 condenses a variable-length message M
 using a secret key K
 to a fixed-sized authenticator
 is a many-to-one function
 potentially many messages have same MAC
 but finding these needs to be very difficult
 Requirements for MACs
 taking into account the types of attacks
 need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible
to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message
 Security of MACs
 like block ciphers have:
 brute-force attacks exploiting
m/
 strong collision resistance hash have cost 2 2

• 128-bit hash looks vulnerable, 160-bits better

 MACs with known message-MAC pairs
• can either attack keyspace (cf. key search) or MAC
• at least 128-bit MAC is needed for security
 Security of MACs
 cryptanalytic attacks exploit structure
 like block ciphers want brute-force attacks to
be the best alternative
 more variety of MACs so harder to
generalize about cryptanalysis
Keyed Hash Functions as MACs
 want a MAC based on a hash function
 because hash functions are generally faster
 crypto hash function code is widely available
 hash includes a key along with message
 original proposal:
KeyedHash = Hash(Key|Message)
 some weaknesses were found with this
 eventually led to development of HMAC
 Problem with Keyed Hash
 KeyedHash = Hash(Key|Message)
 Recall hash function works on blocks
 Let M = Key | Message | Padding and M
M=M1 M2 … ML, where |Mi| = Blocksize
Hash=H(H(…H(H(IV,M1),M2),…,ML)
 But can add extra block(s) ML+1 by
Hash’=H(Hash,ML+1)
 Unless formatting prevents it…
… but still best to use HMAC!
 Road Map
 Topics
 message authentication requirements
 message authentication using encryption
 MACs
 HMAC authentication using a hash function
 HMAC Design Objectives
 use, without modifications, hash functions
 allow for easy replacement of embedded
hash function
 preserve original performance of hash
function without significant degradation
 use and handle keys in a simple way.
 have well understood cryptographic analysis
of authentication mechanism strength
 HMAC
 specified as Internet standard RFC2104
 uses hash function on the message:
HMACK(M)= Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad) || M)] ]
 where K+ is the key padded out to block size
 opad, ipad are specified padding constants
 overhead is just 3 more hash block calculations
than the message needs alone
 any hash function can be used
 eg. MD5, SHA-1, RIPEMD-160, Whirlpool
 HMAC
Overview
 HMAC Security
 proved security of HMAC relates to that of
the underlying hash algorithm
 attacking HMAC requires either:
 brute force attack on key used
 birthday attack (but since keyed would need
to observe a very large number of messages)
 choose hash function used based on
speed verses security constraints