information security principles & applications topic 4: message authentication 虞慧群...
TRANSCRIPT
Authentication
Requirements - must be able to verify that: Message came from its alleged source or author, Contents have not been altered, Sometimes, it was sent at a certain time or sequence.
Protection against active attack (falsification of data and transactions)
Two levels for message authentication mechanism Lower level: authenticator – a value to be used to authenticate
a message Higher level: an authentication protocol that enables a receiver
to verify the authenticity of the message
Approaches to Message Authentication
Authentication Using Conventional Encryption Only the sender and receiver should share a key
Message Authentication without Message Encryption An authentication tag is generated and appended to each
message Two ways
Message Authentication Code (MAC) Hash function (or message digest)
Message Authentication Code
generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible
appended to message as a signature receiver performs same computation on
message and checks it matches the MAC provides assurance that message is
unaltered and comes from sender
Message Authentication Code
Calculate the MAC as a function of the message and the key, i.e. MAC = FK(M)
MAC Properties
a MAC is a cryptographic checksumMAC = FK(M)
condenses a variable-length message M using a secret key K to a fixed-sized authenticator
is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult
Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to find another message with same MAC
2. MACs should be uniformly distributed3. MAC should depend equally on all bits of the
message Approaches to constructing MACs
Using DES HMAC
Hash Functions
condenses arbitrary message to fixed size usually assume that the hash function is
public and not keyed cf. MAC which is keyed
hash used to detect changes to message can use in various ways with message most often to create a digital signature
Authentication UsingAuthentication Using H Hashash
Secret value is added before the hash and removed before transmission.
Authentication Using HashAuthentication Using Hash
Hash Function Properties
a Hash Function produces a fingerprint of some file/message/data
h = H(M) condenses a variable-length message M to a fixed-sized fingerprint
Hash function assumed to be public
Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x s.t. H(x)=h• one-way property
5. given x is infeasible to find y s.t. H(y)=H(x)• weak collision resistance
6. is infeasible to find any x,y s.t. H(y)=H(x)• strong collision resistance
Secure Hash Functions and HMAC
Secure Hash Functions Secure Hash Algorithm (SHA-1)
NIST standard (FIPS 180-1), issued in 1995 Input: message length (<264); Output: 160-bit MD
MD5 RIPEMD-160
HMAC Developing a MAC derived from a cryptographic hash
code, such as SHA-1. Used in IP security, Transport Layer Security (TLS) and
Secure Electronic Transaction (SET).
Authentication Applications
will consider authentication functions developed to support application-level
authentication & digital signatures will consider Kerberos – a private-key
authentication service then X.509 directory authentication service
KERBEROS
In Greek mythology, a many headed dog, the guardian of the entrance of Hades
KERBEROS
Users wish to access services on servers. Three threats exist:
User pretends to be another user. User alters the network address of a workstation. User eavesdrops on exchanges and uses a
replay attack.
KERBEROS
Provides a centralized authentication server to authenticate users to servers and servers to users.
Relies on conventional encryption, making no use of public-key encryption
Two versions: version 4 and 5 Version 4 makes use of DES
Kerberos Version 4
Terms: C = Client AS = authentication server V = server IDc = identifier of user on C IDv = identifier of V Pc = password of user on C ADc = network address of C Kv = secret encryption key shared by AS and V TS = timestamp || = concatenation
A Simple Authentication Dialogue
(1) C AS: IDc || Pc || IDv
(2) AS C: Ticket
(3) C V: IDc || Ticket
Ticket = EKv[IDc || ADc || IDv]
Two problems The number of times a user has to enter a password Plaintext transmission of the password
The Idea towards Solution
Introducing a ticket-granting server (TGS) The user first requests a ticket-granting ticket
(Tickettgs) from the AS; The user then authenticates itself to TGS for a
ticket (Ticketv) for accessing new service; The user finally authenticate itself to V for
requesting a particular service.
Kerberos Version 4 Authentication Dialogue
Kerberos Version 4 Authentication Dialogue
Kerberos Version 4 Authentication Dialogue
Overview of Kerberos
Request for Service in Another Realm
Difference Between Version 4 and 5
Encryption system dependence (V.4 DES) Internet protocol dependence Message byte ordering Ticket lifetime Authentication forwarding Interrealm authentication
Kerberos Encryption Techniques
PCBC Mode
Kerberos - in practice Currently have two Kerberos versions:
4 : restricted to a single realm 5 : allows inter-realm authentication, in beta test Kerberos v5 is an Internet standard specified in RFC1510, and used by many utilities
To use Kerberos: need to have a KDC on your network need to have Kerberised applications running on all participating
systems major problem - US export restrictions Kerberos cannot be directly distributed outside the US in source format
(& binary versions must obscure crypto routine entry points and have no encryption)
else crypto libraries must be reimplemented locally
X.509 Authentication Service Distributed set of servers that maintains a database
about users. Each certificate contains the public key of a user and
is signed with the private key of a CA. Is used in S/MIME, IP Security, SSL/TLS and SET. RSA is recommended to use.
X.509 Formats
Obtaining a User’s Certificate
Characteristics of certificates generated by CA: Any user with access to the public key of the CA
can recover the user public key that was certified. No part other than the CA can modify the
certificate without this being detected.
X.509 CA Hierarchy
Revocation of Certificates
Reasons for revocation: The users secret key is assumed to be
compromised. The user is no longer certified by this CA. The CA’s certificate is assumed to be
compromised.
Authentication Procedures
Summary
have considered: message authentication using
message encryptionMACshash functions
Kerberos X.509 Authentication Service
A Quiz
In a public-key system using RSA, you intercept the ciphertext C = 10 sent to a user whose public key e = 5, n = 35. What is the plaintext M?