Authentication & MD5

Jen-Chang Liu, Fall 2005

Adapted fromlecture slides by Lawrie Brown

Model for Network Security

Type of attacks disclosure traffic analysis masquerade 偽裝 content modification sequence modification

Insertion, deletion, reordering timing modification

Delay or replay of message source repudiation destination repudiation

Message confidentiality => ciphers

Message authentication=>Message encryption, Message auth. code, Hash function

不可否認發出訊息Digital signature

不可否認收到訊息

Outline

Message authentication Message encryption Message authentication code: MAC=Ck(M),

k is a shared secret key, MAC is a fixed-length code

Hash function: h=H(M), h is a fixed-length code

MD5

Message Authentication message authentication is concerned

with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute

resolution)

Two-level approach Produce an authenticator: a value to be

used to authenticate a message Authentication protocol

訊息來源

來源不可否認發出訊息

Message Encryption The ciphertext of the message serves

as its authenticator symmetric encryption is used:

* A is the only party that possesses K

* Y=DK(X), How to verify that Y is legitimate plaintext?Source: text fileSource: binary file, such as compressed file, …

Symmetric encryption for authentication

Constraint: the plaintext have some well-formed structure

Example 1: frame check sequence (FCS)

Error detection codeFrame check sequenceHash function

Symmetric encryption for authentication (cont.)

Example 2: TCP header

encrypted

Public-key encryption for authentication

Anyone can access public key – no authentication

Only A has private key, M must be well-formed

A B

confidentiality

authentication

Confidentiality+authentication

Outline Message authentication

Message encryption Message authentication code: MAC=Ck(M),

k is a shared secret key, MAC is a fixed-length code

Hash function: h=H(M), h is a fixed-length code

MD5

Message Authentication Code (MAC)

MAC is a cryptographic checksum MAC=CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator

Message Authentication Codes (cont.)

why use a MAC instead of message encryption? Sometimes only authentication is needed

Ex. Broadcast of shut down message, check MAC is cheaper

Ex. The receiver side cannot afford time to decrypt Ex. Authentication of a program in plaintext

Separation of authentication and confidentiality

Sometimes need authentication to persist longer than the encryption (eg. archival use)

note that a MAC is not a digital signature Both sender and receiver share the same key

Using Symmetric Ciphers for MACs

Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC

or the leftmost M bits (16≤M≤64) of final block

Cipher block chaining

+IV=0

Message + MAC with confidentiality

Outline Message authentication

Message encryption Message authentication code: MAC=Ck(M),

k is a shared secret key, MAC is a fixed-length code

Hash function: h=H(M), h is a fixed-length code

MD5

Hash Functions Hash function: h=H(M), h is a fixed-

length code Also called as message digest or hash value usually assume that the hash function is

public and not keyed. cf. MAC which is keyed

hash is used to detect changes to message

can use in various ways with message, most often to create a digital signature

Hash functions & symmetric encryption

Hash code provide a structurefor the message

In fact, a MACcode

Hash functions & public-key encryptions

In fact, a digitalsignature

confidentiality

User A User B

Hash functions & a shared secret value S

Advantage: no encryption is necessary

confidentiality

Requirements for Hash Functions

1. is easy to compute h=H(M) for any message M2. can be applied to any sized message M3. produces fixed-length output h4. given h is infeasible to find x s.t. H(x)=h

• one-way property• Important if a secret value is hashed. h = H(M || S)

5. given x is infeasible to find y s.t. H(y)=H(x)• weak collision resistance• Prevent forgery

6. is infeasible to find any x,y s.t. H(y)=H(x)• strong collision resistance

Simple Hash Functions based on XOR of message blocks

XOR

* Too simple to fit the security requirements

Hash Algorithms see similarities in the evolution of hash

functions & block ciphers increasing power of brute-force attacks leading to evolution in algorithms from DES to AES in block ciphers from MD4 & MD5 to SHA-1 & RIPEMD-160

in hash algorithms likewise tend to use common iterative

structure as do block ciphers

MD5 (Message Digest) designed by Ronald Rivest (the R in

RSA) latest in a series of MD2, MD4 produces a 128-bit hash value until recently was the most widely used

hash algorithm in recent times have both brute-force &

cryptanalytic concerns specified as Internet standard RFC1321

MD5 Overview1. pad message so its length is 448 mod 512 2. append a 64-bit length value to message 3. initialise 4-word (128-bit) MD buffer

(A,B,C,D) 4. process message in 16-word (512-bit)

blocks: using 4 rounds of 16-step operations on message

block & buffer add output to buffer input to form new buffer

value

5. output hash value is the final buffer value

always

HMD5

T[i]=232 abs(sin(i)) [32 bits or 1 word]

MD5 Compression Function (1 step)

32 bits 32 bits 32 bits 32 bits

Random 32 bits

32 bits from512-bits block

Circular left shift

Round functions

Round Primitive function g

g(b,c,d)

1 F(b, c, d) (bc)(bd)

2 G(b, c, d) (bd)(cd)

3 H(b, c, d) bcd

4 I(b, c, d) c(bd)

* Bitwise logical operations

HMD5

Strength of MD5 MD5 hash is dependent on all message bits Rivest claims security is good as can be Case 1: find M1 and M2

Case 2: find a message with given MD

M1

M2

128-bit MD

128-bit MD

264 operations

2128 operations

Strength of MD5 (cont.) known attacks are:

Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend)

Boer & Bosselaers 93 found a pseudo collision (different ABCD buffers, same output) in single block (again unable to extend)

Dobbertin 96 created collisions (different 512-bit blocks, same output) in single block (but initial constants prevent exploit)

conclusion is that MD5 looks vulnerable soon