Download - Authentication & MD5 Jen-Chang Liu, Fall 2005 Adapted from lecture slides by Lawrie Brown
Type of attacks disclosure traffic analysis masquerade 偽裝 content modification sequence modification
Insertion, deletion, reordering timing modification
Delay or replay of message source repudiation destination repudiation
Message confidentiality => ciphers
Message authentication=>Message encryption, Message auth. code, Hash function
不可否認發出訊息Digital signature
不可否認收到訊息
Outline
Message authentication Message encryption Message authentication code: MAC=Ck(M),
k is a shared secret key, MAC is a fixed-length code
Hash function: h=H(M), h is a fixed-length code
MD5
Message Authentication message authentication is concerned
with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute
resolution)
Two-level approach Produce an authenticator: a value to be
used to authenticate a message Authentication protocol
訊息來源
來源不可否認發出訊息
Message Encryption The ciphertext of the message serves
as its authenticator symmetric encryption is used:
* A is the only party that possesses K
* Y=DK(X), How to verify that Y is legitimate plaintext?Source: text fileSource: binary file, such as compressed file, …
Symmetric encryption for authentication
Constraint: the plaintext have some well-formed structure
Example 1: frame check sequence (FCS)
Error detection codeFrame check sequenceHash function
Public-key encryption for authentication
Anyone can access public key – no authentication
Only A has private key, M must be well-formed
A B
confidentiality
authentication
Confidentiality+authentication
Outline Message authentication
Message encryption Message authentication code: MAC=Ck(M),
k is a shared secret key, MAC is a fixed-length code
Hash function: h=H(M), h is a fixed-length code
MD5
Message Authentication Code (MAC)
MAC is a cryptographic checksum MAC=CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator
Message Authentication Codes (cont.)
why use a MAC instead of message encryption? Sometimes only authentication is needed
Ex. Broadcast of shut down message, check MAC is cheaper
Ex. The receiver side cannot afford time to decrypt Ex. Authentication of a program in plaintext
Separation of authentication and confidentiality
Sometimes need authentication to persist longer than the encryption (eg. archival use)
note that a MAC is not a digital signature Both sender and receiver share the same key
Using Symmetric Ciphers for MACs
Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC
or the leftmost M bits (16≤M≤64) of final block
Cipher block chaining
+IV=0
Outline Message authentication
Message encryption Message authentication code: MAC=Ck(M),
k is a shared secret key, MAC is a fixed-length code
Hash function: h=H(M), h is a fixed-length code
MD5
Hash Functions Hash function: h=H(M), h is a fixed-
length code Also called as message digest or hash value usually assume that the hash function is
public and not keyed. cf. MAC which is keyed
hash is used to detect changes to message
can use in various ways with message, most often to create a digital signature
Hash functions & symmetric encryption
Hash code provide a structurefor the message
In fact, a MACcode
Requirements for Hash Functions
1. is easy to compute h=H(M) for any message M2. can be applied to any sized message M3. produces fixed-length output h4. given h is infeasible to find x s.t. H(x)=h
• one-way property• Important if a secret value is hashed. h = H(M || S)
5. given x is infeasible to find y s.t. H(y)=H(x)• weak collision resistance• Prevent forgery
6. is infeasible to find any x,y s.t. H(y)=H(x)• strong collision resistance
Simple Hash Functions based on XOR of message blocks
XOR
* Too simple to fit the security requirements
Hash Algorithms see similarities in the evolution of hash
functions & block ciphers increasing power of brute-force attacks leading to evolution in algorithms from DES to AES in block ciphers from MD4 & MD5 to SHA-1 & RIPEMD-160
in hash algorithms likewise tend to use common iterative
structure as do block ciphers
MD5 (Message Digest) designed by Ronald Rivest (the R in
RSA) latest in a series of MD2, MD4 produces a 128-bit hash value until recently was the most widely used
hash algorithm in recent times have both brute-force &
cryptanalytic concerns specified as Internet standard RFC1321
MD5 Overview1. pad message so its length is 448 mod 512 2. append a 64-bit length value to message 3. initialise 4-word (128-bit) MD buffer
(A,B,C,D) 4. process message in 16-word (512-bit)
blocks: using 4 rounds of 16-step operations on message
block & buffer add output to buffer input to form new buffer
value
5. output hash value is the final buffer value
MD5 Compression Function (1 step)
32 bits 32 bits 32 bits 32 bits
Random 32 bits
32 bits from512-bits block
Circular left shift
Round functions
Round Primitive function g
g(b,c,d)
1 F(b, c, d) (bc)(bd)
2 G(b, c, d) (bd)(cd)
3 H(b, c, d) bcd
4 I(b, c, d) c(bd)
* Bitwise logical operations
Strength of MD5 MD5 hash is dependent on all message bits Rivest claims security is good as can be Case 1: find M1 and M2
Case 2: find a message with given MD
M1
M2
128-bit MD
128-bit MD
264 operations
2128 operations
Strength of MD5 (cont.) known attacks are:
Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend)
Boer & Bosselaers 93 found a pseudo collision (different ABCD buffers, same output) in single block (again unable to extend)
Dobbertin 96 created collisions (different 512-bit blocks, same output) in single block (but initial constants prevent exploit)
conclusion is that MD5 looks vulnerable soon