Network Security

Lecture 5

Public Key Cryptography and messae authentication

• Message authentication codes and hash function to provide message authentication.

• Public Key encryption and two specific public-key algoritihms.

• Public-Key encryption to produce digital signatures.

Information Integrity Problems

• Content Modification:

Adversary inserts/modifies/deletes message content

Insert new record for Darth’s salary of $1,000,000

Salary Database

E D

E

Information Integrity Problems

• Masquerade:Adversary sends message claimed to be from someone else

Masquerading as Alice

“Give Darth a $10,000 raise-- Alice”

E

Information Integrity Problems

• Timing ModificationAdversary intercepts message and replays it later

“Open the front gate.-- Alice”

E

Information Integrity Problems

• Simplest case: Detecting modification– Message M stored in public location– M not encrypted

• How can we prove/detect whether adversary has replaced message M with fake message M´ ?

Public storage

MM ´

Information Integrity Problems

• One solution: store protected copy of M– Compare M to copy to detect changes– Implausible if M very large

Public storage

M

M

Message Digest

• Created from message M using hashing functiony = h(M)

• Like “fingerprint” for messages– Different messages different fingerprints– Much more compact than messages:

size of y < size of M– Plausible for secure storage

Message Digest

• Same concept as error detection in network transmission

• Error detection bits = function of message– Example: parity bit depends on even/odd of 1’s in message

• If error detection bits do not match message, request message resend

• Key difference: Unlike noise, adversary intelligent

Message Error detection bits

Modification Detection Code: MDC

• Used to detect modification – Apply hash to message in storage to get h(M´)– Compare with stored h(M)– If h(M’) h(M) message has been modifed

• Modification Detection Code (MDC)

Public storage

M ´h(M´)

hcompare

h(M)

Message Authentication Code:MAC

• Hash applied to message by sender and recipient• If no match, message has been tampered with• Problem: Requires MDC sent securely

Otherwise, adversary could modify it as well!

Message Authentication Code• Using secret key to prevent adversary from creating

message digest to match false message– Creates MAC as h(M, k)– Can also encrypt message, but not necessary

Solving Integrity Problems

• Content ModificationIf adversary modifies message, will no longer match message digest

• Authentication Adversary cannot send false message since cannot generate corresponding digest

• Timing ModificationSender can add timestamp to message which adversary cannot modify without generating corresponding message digest

Preimage Attack• Adversary finds message M´ with same MDC

h(M´) = h(M) • Impossible to detect or prove changes!

Public storage

M ´h(M´)

hSame!

h(M)

Preimage Attack

• Adversary can “tweak” new message M´ until h(M´) = h(M)

• Example:Give Darth a salary increase of $1000Award Mr. Vader some raise … $2000Present Darth Vader … bonus $3000… … … $4000 …

“I’ll find some combination of these so they can’t detect the difference!”

Collision Attack

• Adversary finds two messages M1 and M2 with same MDC h(M1) = h(M2)

• M1 is harmless message“We like kittens”

• M2 has advantage for adversary“Give Darth a $5000 raise”

Collision Attack

• Darth gets job in organization– Presents M1 to boss for approval

– Boss stores h(M1)

– Darth actually stores/sends M2

• Boss has no way to prove he didn’t approve M2

“We like kittens” h(“We like kittens”)

“Give Darth a $5000 raise”

Digests and Networks

• Same hash applied to message by sender and recipient– Sender creates digest and sends along with message– Recipient creates digest from received message, and compares to

received digest– If no match, message has been tampered with en route

M

Digests and Networks

• Problem: Adversary can easily intercept digest and change it to match new message– Must assume adversary knows hash function we use!

M

h(M )

Message Authentication Codes• Using secret key to create digest

– Creates MAC as h(M, k)– Without k, adversary cannot substitute M and then

duplicate the h(M , k) that recipient will use to check message integrity

Message Authentication Codes

• Provides authentication of sender– Only person with correct key k can produce h(M, k)

that matches message M– Also provides nonrepudiation protection

• Sender cannot later claim they did not send message unless key stolen

M h(M, k) h(M, k)

M

hk

h(M, k)

compare

“If they match, thensender must have samekey k as I do”

Authentication and Confidentiality

• Can also encrypt message with different key– Hash plaintext before encryption

– Hash ciphertext after encryption• Allows authentication to take place without decryption

(usually much faster)

h

h

h

h

h

h

h

Prefix/Postfix MAC

• Key = “extra bits” at beginning or end of messageh(M, k) = h(M | k) or h(k | M)

• Attack by exhaustive key search:– Adversary intercepts M and MAC h(M, k ) – Adversary tries all key values k to find h(M, k ) = MAC– Key size must be large enough to prevent this!

• Hash algorithm used must have “avalanche effect”– Changing few bits at beginning/end changes most bits of MAC– Better if key “spread out” over message rather than at known fixed

location

Message

Nested MAC

• Hashing applied multiple times– Concatenate key with message:

k | M– Run through hash:

h(k | M)– Concatenate key again:

k | h(k | M)– Run through hash again:

MAC = h(k | h(k | M))

• Changes in key have greater avalanche effect on final MAC

Chained MAC (CMAC)

• “Hashless” MAC– Uses an encryption algorithm (DES, AES, etc.) to

generate MAC

Chained MAC (CMAC)

• Based on same idea as cipher block chaining– Message broken into N blocks– Each block fed into an encryption algorithm with key– Result XOR’d with next block before encryption to make final

MAC depend on all blocks

• Main difference: compresses result to size of single block

Chained MAC (CMAC)

• Final stage uses “additional key”– Derived from cipher key but hides relationship to key:

• Encrypting all 0’s • Multiplying by x or x2 over GF(2n)

Chained MAC (CMAC)

• Additional key XOR’d with final block

• Crucial to use different key for last XOR– Avoids differential

cryptanalysis of 2 messages with same beginning

• MAC = leftmost n bits of result

Chained MAC (CMAC)

• Advantages:– Can use existing encryption functions– Encryption functions have properties that resist

preimage and collision attacks• Ciphertext designed to appear like “random noise” – good

approximation of random oracle model• Most exhibit strong avalanche effect – minor change in

message gives great change in resulting MAC

• Disadvantage:– Encryption algorithms (particularly when chained) can

be much slower than hash algorithms

Compression Functions

• Function that compresses message of arbitrary length to m-bit digest

• Following must be computationally infeasible:– Given message M, find M´ such that h(M) = h(M´)

– Finding any M1 and M2 such that h(M1) = h(M1)

• Difficult to assure for arbitrary compression

fMessage ofarbitrary size

m-bit digest

Compression Functions

• Easier to create function that compresses block of fixed size k > m

• Break message into blocks of fixed size

fk-bit message m-bit digest

Iterated Hash FunctionMerkle-Damgard scheme

If the compression function in Merkle-Damgard scheme is collision resistant, the Hash function is also collision resistant

Iterated Hash Function

• Compression function of form h(Mi, Hi-1)

– M i = i th message block

– Hi-1 = previous message digest

– H0 = initial vector known to sender, recipient

• If f is collision resistant, so is entire algorithm

f

n-bit message block M i m-bit digest H i

m-bit digest H i-1

Types of Hash Algorithms

• “Made from scratch”– Specifically designed for hashing– Often no clear structure for maximum confusion– Examples:

• Message Digest (MD) designed by Ron Rivest• Secure Hash Algorithm (SHA)

• Based on block ciphers– Rebuild existing cipher into compression function– Already has desirable properties of cryptographic hash– Example: Whirlpool

Block Ciphers for Hashing

• Rabin scheme– “Plaintext” = output of previous stage– “Key” = current message block

• Potentially vulnerable to “meet in middle” attack– Since encryption reversible, could work backwards from final

message digest to find another M with same digest

Block Ciphers for Hashing • Miyaguchi-Preneel scheme (used by Whirlpool)

– Output of each stage based on XOR of:• Output of encryption function

• Output of previous stage

• Current message

– Prevents “meet in middle” attacks • Cannot work backwards through encryption functions