1、Authentication & MD5,Jen-Chang Liu, Fall 2005Adapted fromlecture slides by Lawrie Brown,Model for Network Security,Type of attacks,disclosuretraffic analysismasquerade 偽裝content modificationsequence modificationInsertion, deletion, reorderingtiming modificationDelay or replay of messagesource repudi
2、ationdestination repudiation,Message confidentiality = ciphers,Message authentication=Message encryption, Message auth. code, Hash function,不可否認發出訊息,Digital signature,不可否認收到訊息,Outline,Message authenticationMessage encryptionMessage authentication code: MAC=Ck(M), k is a shared secret key, MAC is a f
3、ixed-length codeHash function: h=H(M), h is a fixed-length codeMD5,Message Authentication,message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution)Two-level approachProduce an authenticator: a valu
4、e to be used to authenticate a messageAuthentication protocol,訊息,來源,來源不可否認發出訊息,Message Encryption,The ciphertext of the message serves as its authenticatorsymmetric encryption is used:,* A is the only party that possesses K,* Y=DK(X), How to verify that Y is legitimate plaintext?,Source: text fileSo
5、urce: binary file, such as compressed file, ,Symmetric encryption for authentication,Constraint: the plaintext have some well-formed structureExample 1: frame check sequence (FCS),Error detection codeFrame check sequenceHash function,Symmetric encryption for authentication (cont.),Example 2: TCP hea
6、der,encrypted,Public-key encryption for authentication,Anyone can access public key no authentication,A,B,confidentiality,authentication,Confidentiality+authentication,Outline,Message authenticationMessage encryptionMessage authentication code: MAC=Ck(M), k is a shared secret key, MAC is a fixed-len
7、gth codeHash function: h=H(M), h is a fixed-length codeMD5,Message Authentication Code (MAC),MAC is a cryptographic checksum MAC=CK(M)condenses a variable-length message Musing a secret key Kto a fixed-sized authenticator,Message Authentication Codes (cont.),why use a MAC instead of message encrypti
8、on?Sometimes only authentication is neededEx. Broadcast of shut down message, check MAC is cheaperEx. The receiver side cannot afford time to decryptEx. Authentication of a program in plaintextSeparation of authentication and confidentialitySometimes need authentication to persist longer than the en
9、cryption (eg. archival use)note that a MAC is not a digital signatureBoth sender and receiver share the same key,Requirements for MACs,taking into account the types of attacks, we need the MAC to satisfy the following:knowing a message and MAC, is infeasible to forge another message with same MACMAC
10、s should be uniformly distributedFor random M and M, n-bit MAC, the prob. that CK(M)=CK(M) is 2-nMAC should depend equally on all bits of the message,Using Symmetric Ciphers for MACs,Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBCusing IV=0 and zero-pad of final blockencryp
11、t message using DES in CBC modeand send just the final block as the MACor the leftmost M bits (16M64) of final block,Cipher block chaining,+,IV=0,Message + MAC with confidentiality,Outline,Message authenticationMessage encryptionMessage authentication code: MAC=Ck(M), k is a shared secret key, MAC i
12、s a fixed-length codeHash function: h=H(M), h is a fixed-length codeMD5,Hash Functions,Hash function: h=H(M), h is a fixed-length codeAlso called as message digest or hash valueusually assume that the hash function is public and not keyed. cf. MAC which is keyedhash is used to detect changes to mess
13、agecan use in various ways with message, most often to create a digital signature,Hash functions & symmetric encryption,Hash code provide a structurefor the message,In fact, a MACcode,Hash functions & public-key encryptions,In fact, a digitalsignature,confidentiality,User A,User B,Hash functions & a
14、 shared secret value S,Advantage: no encryption is necessary,confidentiality,Requirements for Hash Functions,is easy to compute h=H(M) for any message Mcan be applied to any sized message Mproduces fixed-length output hgiven h is infeasible to find x s.t. H(x)=hone-way propertyImportant if a secret
15、value is hashed. h = H(M | S)given x is infeasible to find y s.t. H(y)=H(x)weak collision resistancePrevent forgeryis infeasible to find any x,y s.t. H(y)=H(x)strong collision resistance,Simple Hash Functions,based on XOR of message blocks,XOR,* Too simple to fit the security requirements,Chapter 12
16、 Hash Algorithms,Each of the messages, like each one he had ever read of Sterns commands, began with a number and ended with a number or row of numbers. No efforts on the part of Mungo or any of his experts had been able to break Sterns code, nor was there any clue as to what the preliminary number
17、and those ultimate numbers signified.Talking to Strange Men, Ruth Rendell,Lecture slides from Lawrie Brown,Hash Algorithms,see similarities in the evolution of hash functions & block ciphersincreasing power of brute-force attacksleading to evolution in algorithmsfrom DES to AES in block ciphersfrom
18、MD4 & MD5 to SHA-1 & RIPEMD-160 in hash algorithmslikewise tend to use common iterative structure as do block ciphers,MD5 (Message Digest),designed by Ronald Rivest (the R in RSA)latest in a series of MD2, MD4 produces a 128-bit hash valueuntil recently was the most widely used hash algorithmin rece
19、nt times have both brute-force & cryptanalytic concernsspecified as Internet standard RFC1321,MD5 Overview,pad message so its length is 448 mod 512 append a 64-bit length value to message initialise 4-word (128-bit) MD buffer (A,B,C,D) process message in 16-word (512-bit) blocks: using 4 rounds of 1
20、6-step operations on message block & buffer add output to buffer input to form new buffer value output hash value is the final buffer value,always,HMD5,Ti=232 abs(sin(i),32 bits or 1 word,MD5 Compression Function (1 step),32 bits,32 bits,32 bits,32 bits,Random 32 bits,32 bits from512-bits block,Circ
21、ular left shift,MD5 Compression Function,each round has 16 steps of the form: a = b+(a+g(b,c,d)+Xk+Ti)s) a,b,c,d refer to the 4 words of the buffer, but used in varying permutationsnote this updates 1 word only of the bufferafter 16 steps each word is updated 4 timeswhere g(b,c,d) is a different non
22、linear function in each round (F,G,H,I)Ti is a constant value derived from sin(),Round functions,* Bitwise logical operations,HMD5,Strength of MD5,MD5 hash is dependent on all message bitsRivest claims security is good as can beCase 1: find M1 and M2Case 2: find a message with given MD,M1,M2,128-bit
23、 MD,128-bit MD,264 operations,2128 operations,Strength of MD5 (cont.),known attacks are:Berson 92 attacked any 1 round using differential cryptanalysis (but cant extend)Boer & Bosselaers 93 found a pseudo collision (different ABCD buffers, same output) in single block (again unable to extend)Dobbertin 96 created collisions (different 512-bit blocks, same output) in single block (but initial constants prevent exploit)conclusion is that MD5 looks vulnerable soon,
