This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Integrity and Authentication Cryptography and Network Security
TECH 6350 Session 4 Integrity and
Authentication
Manuel Mogollon
m_mogollon@verizon.net Graduate School of Management
Information Assurance
University of Dallas 0 Integrity and Authentication Session 4 – Contents
• Integrity
— Message Authentication Code (MAC)
— Hash Functions • Authentication
— Digital Signature Standard (FIPS 1862)
— DSA (ANSI X9.30
— RSA (ANSI X9.31)
— ElGamal
— ECDSA (ANSI X9.62) Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 1
M. Mogollon – 01/08  1 • In the world of communications, assurance is sought that (1) a message is not accidentally or
deliberately modified in transit by replacement, insertion, or deletion; (2) the message is coming
from the source from which it claims to come; (3) the message is protected against unauthorized
individuals reading information that is supposed to be kept private; and (4) there is a protection
against an individual denying she/he sent or received a message.
• In this session, methods that can check if a message was modified (hash functions), and ways to
verify a sender’s identity by using digital signatures will be explained. 1 Integrity and Authentication Integrity
Assurance that a message was not
accidentally or deliberately modified
in transit by replacement, insertion,
or deletion. Integrity Hash Functions SHA MD5 Digital Signature MAC Encryption HMAC SHA1 SHA384 DES CBC HMACSHA196 SHA256 SHA512 AESXCBCMAC96 HMACMD596 Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 2
M. Mogollon – 01/08  2 • The mechanism for ensuring that data is not altered when transmitted from source to destination, or
when it is stored, is called integrity. Message Digest 5 (MD5), Secure Hash Standards (SHA1,
SHA256, SHA384, and SHA512), Message Authentication Codes (MACs), and KeyedHash
Message Authentication Codes (HMAC) are mechanisms that check the integrity of a message.
• Encryption provides intrinsic integrity because if a ciphertext block has been modified, the block
will not be deciphered properly. Digital signature also provides integrity because it uses hash
functions. 2 Integrity and Authentication What is Integrity?
integrity / n. (1) The property of ensuring that data is
transmitted from source to destination without
undetected alteration. (2) The process of preventing
undetected alteration of data. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 3
M. Mogollon – 01/08  3 3 Integrity and Authentication Integrity Using a Message Summary I sent you $567.34 with Mary. Message digest (hash) Integrity MAC HASH SHA MD5 Message
digest
Count money Yes
(hash) was
$567.34?
Yes/No
used to
prove that
the stated
amount of
money was 4
HMAC
Authentication
Digital Signatures
not M. Mogollon – 01/08  4
altered. • When Bob tells Alice that he sent $567.34 with Mary, Alice uses that information to check, count
the money, and verify that the amount of money was not altered.
• This is similar to a message digest or hash function. 4 Integrity and Authentication Message Authentication Code (MAC)
Secret Key,
Initial
Variable
M
E
S
S
A
G
E M
E
S
S
A
G
E Transmit MAC
(last ciphertext
block) •
•
•
• Secret Key,
Initial Variable
Integrity MAC HASH SHA Block Cipher
(CBC Mode) MAC MAC MAC Block Cipher
(CBC Mode) M
E
S
S
A
G
E Compare Both parties share a secret key.
Last ciphertext block sent as a hash.
IV is zero block (all “0” bits).
DES 64bit hash, AES 128bit hash used
MD5 HMAC Authentication Digital Signatures 5
M. Mogollon – 01/08  5 • The mechanisms that provide integrity checks based on a secret key are usually called Message
Authentication Codes (MACs). Typically, MACs are used between two parties who share a secret
key in order to authenticate information transmitted between these parties.
• MAC is a keydependent oneway hash function. One popular way to construct a MAC algorithm
is to use a block cipher in conjunction with the Cipher Block Chaining (CBC) mode of operation
with the IV =0. The MAC is the ANSI standard DESbased checksum, also known as the U.S.
Government Standard Computer Data Authentication Code, FIPS PUB 113 (Federal Information
Processing Standards (FIPS), 1985).
• The integrity provided by the MAC is based on the fact that it is not possible to generate a MAC
without knowing the cryptographic key. An adversary without knowledge of the key will not be
able to modify data and then generate an authentic MAC on the modified data. It is, therefore,
crucial that keys be protected so that their secrecy is preserved. If the key is known only by the
source and the destination, this algorithm will provide both data origin authentication and data
integrity for datagrams sent between the two parties. In addition, only a party with the identical key
can verify the hash 5 Integrity and Authentication Using CBC Mode as a Hash Function
Cleartext Block + + Block Cipher IV Cleartext Block Block Cipher • Sends last ciphertext
block as a hash. • Uses a fixed known Crypto
Variable IV.
• DES hash: 64 bits.
• AES hash: 128 bits Ciphertext Block Last ciphertext block Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 6
M. Mogollon – 01/08  6 • The data (e.g., record, file, message, or program) to be authenticated is grouped into contiguous bit blocks: D1, D2,.... Dn. If the number of data bits is not a multiple of n, the block size, then the
final input block will be a partial block of data, left justified. with zeroes appended to form a full nbit block. The calculation of the hash is given by the following equations:
• 01 = e(D1)
• 02 = e(D2 XOR 01)
• 03 = e(D3 XOR 02)
• On = e(Dn XOR 0n1)
• The Cipher Block Chaining Mode (CBC) with Initialization Vector (IV) = 0 (see FIPS 113) and
the nbit Cipher Feedback Mode with IV = D1 and data equal to D2, D3, ..., Dn (see FIPS PUB
81) both yield the required hash calculation. 6 Integrity and Authentication AESXCBCMAC96 Seed 1 K Seed 2 AES
Block Cipher + E(1) + E(0) E(n2) K3 Last Message
Block Mn + E(n1)
K2 or K3 AES K1 Block Cipher AES AES K1 Block Cipher E(1) +
+ AES K1 Block Cipher K1 Block Cipher E(n1) E(2) AES
Block Cipher K2 Message
Block Mn1 Message
Block M2 K K
K1 Message
Block M1 Seed 3 AES
Block Cipher E(n) • RFC 3566 is proposed for use in IPSec, AH and ESP.
• E (n) is a 128bit authenticator value. AESXCBCMAC96 is derived by truncating the 128bit
value in the same way as it is done in HMAC. • The length of 96 bits is the default authenticator length for use with either ESP or AH.
Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 7
M. Mogollon – 01/08  7 • According to RFC 3566, the classic CBCMAC algorithm, while secure for messages of a preselected fixed length, has been shown to be not secure across messages of varying lengths such
as the type found in typical IP datagrams. The new algorithm, AESXCBCMAC96 RFC 3566
(Frankel, & Herbert), specifies the use of AES in CBC mode with a set of extensions to
overcome this limitation. • AESXCBCMAC96 is secure for messages of arbitrary length. AESXCBCMAC96 is used
as an authentication mechanism within the context of IPsec in the Encapsulating Security
Payload (ESP) and the Authentication Header (AH) protocols. • As with MAC, data integrity and data origin authentication, as provided by AESXCBCMAC96 depend on the secrecy of the secret key, K, distribution. • Derive 3 128bit keys (K1, K2 and K3) from the 128bit secret key K, as follows:
•
• K2 = 0x02020202020202020202020202020202 encrypted with Key K •
• K1 = 0x01010101010101010101010101010101 encrypted with Key K
K3 = 0x03030303030303030303030303030303 encrypted with Key K. For block M[n]:
1. If the blocksize of M[n] is 128 bits: XOR M[n] with E[n1] and Key K2, the result is
encrypted with Key K1, yielding E[n].
2. If the blocksize of M[n] is less than 128 bits:
• Pad M[n] with a single 1 bit, followed by the number of 0 bits (possibly none) required
to increase M[n]'s blocksize to 128 bits. • XOR M[n] with E[n1] and Key K3, then encrypt the result with Key K1, yielding E[n]. 7 Integrity and Authentication Hash Functions – Oneway Functions
Divisible by block size Message Pad BR = Binary
representation of
the message length. BRbit
Pad Message
Block M1 Initial
Value Message
Block M2 Last Message
Block Mn Compression
Function Compression
Function Compression
Function Hash Take an input m and return a fixedsize string.
Hard to invert. Given the hash value, it is computationally infeasible to
find the initial value m.
Message Digest 5 (MD5) and Secure Hash Algorithm are hash functions. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 8
M. Mogollon – 01/08  8 • Hash functions are used to prove that transmitted data was not altered. A hash function H takes an
input message m and transforms it to produce a hash value h that is a function of the message h =
H (m); the input is a variable string and the output is a fixedsize string. The hash value is also
called a message digest or a fingerprint of the message because there is a very low probability that
two messages will produce the same hash value.
• Hash functions are hard to invert. Given the hash value, it is computationally infeasible to find the
initial value m.
• A hash function must have the following properties:
• The message size can be of any length.
• The hash value has a fixed length.
• It is relatively easy to compute H(m) for any given message.
• It is computationally infeasible, virtually impossible, to
• Find the message m from H(m). This is called a oneway function.
• Have two messages, m1 and m2, in which H(m1) = H(m2)
• Find two messages, m1 and m2, such that H(m1) = H(m2) 8 Integrity and Authentication Checking Integrity with a Hash Function
Sender
M
E
E
S
S
A
G
E Receiver
M
E
E
S
S
A
G
E Message’s
Hash Message’s
Hash Message’s
Hash Compare Hash
Function • The message and the message’s hash are sent to the Message’s
Hash Hash
Function M
E
E
S
S
A
G
E Transmit receiver. • The receiver compares the received hash with a newly
generated hash. • If the hashes are the same, it is highly probable that the
message has not been changed.
Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 9
M. Mogollon – 01/08  9 • Hash functions are used to prove that the transmitted data was not altered. 9 Integrity and Authentication Secure Hash Standard
• On April 17, 1995, the National Institute of Standards and
Technology, NIST, approved the Secure Hash Standard,
FIPS PUB 1801,which included one secure hash
algorithm, the SHA1. • On February 1, 2003, a new Secure Hash Signature
Standard (SHS) (FIPS PUB 1802) was approved; it added
three hash algorithms, SHA1, SHA256, SHA384, and
SHA512. • The SHA1 algorithm specified in the FIPS PUB 1802 is
the same algorithm that was specified previously in FIPS
1801, although some of the notation was modified to be
consistent with the notation used in the SHA256, SHA384, and SHA512 algorithms.
Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 10
M. Mogollon – 01/08  10 • The Secure Hash Standard is required for use with the Digital Signature Algorithm (DSA), as
specified in the Digital Signature Standard (DSS), and, also, whenever a secure hash algorithm is
required for federal applications.
• FIPS PUB 1802 (Federal Information Processing Standards (FIPS), 1995b) specifies four secure
hash algorithms, SHA1, SHA256, SHA384, and SHA512. The message digests range in length
from 160 to 512 bits, depending on the algorithm. The SHA1 algorithm specified in the FIPS PUB
1802 is the same algorithm that was specified previously in FIPS 1801, although some of the
notation was modified to be consistent with the notation used in the SHA256, SHA384, and
SHA512 algorithms.
• All four of the algorithms are iterative, i.e., oneway hash functions that can process a message in a
condensed representation called a message digest. They are called secure because according to the
standard, it is computationally infeasible (1) to find a message that corresponds to a given message
digest, or (2) to find two different messages that produce the same message digest. Therefore, these
hash algorithms enable the determination of a message’s integrity: any change to the message will,
with a very high probability, result in a different message digest. This will result in a verification
failure when the secure hash algorithm is used with a digital signature algorithm or a keyedhash
message authentication algorithm. Secure hash algorithms are typically used with other
cryptographic algorithms, such as digital signature algorithms and keyedhash message
authentication codes, or in the generation of random numbers (bits). 10 Integrity and Authentication Basic properties of all four SHAs
Algorithm Message Size
(bits) Block Size
(bits) Word Size
(bits) Message Digest
Size (bits) Security
(bits) SHA1 < 264 512 32 160 80 SHA256 < 264 512 32 256 128 SHA384 < 2128 1024 64 384 192 SHA512 < 2128 1024 64 512 256 Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 11
M. Mogollon – 01/08  11 • The number of bits of security that are provided for the data being hashed is directly related to the
message digest length. When a secure hash algorithm is used in conjunction with another
algorithm, the FIPS PUB 1802 recommends the use of the hash algorithm that corresponds
according to the number of bits of security. For example, if a message is being signed with a digital
signature algorithm that provides 128 bits of security, then that signature algorithm may require the
use of a secure hash algorithm that also provides 128 bits of security (e.g., SHA256). Table 61
presents the basic properties of all four secure hash algorithms. 11 Integrity and Authentication Key Length Equivalent Strengths Security
(Bits) Symmetric
Encryption
Algorithm Hash
Algorithm Block
Size
(Bits) Word
Size
(Bits) DiffieHellman
and RSA
Modulus Size ECC 80 SKIPJACK SHA1 512 32 1024 160 112 3DES SHA1 512 32 2048 224 128 AES128 SHA256 512 32 3072 256 192 AES256 SHA384 1024 64 7680 384 256 AES512 SHA512 1024 64 15360 512 Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 12
M. Mogollon – 01/08  12 • Where hash functions are used, there are two approaches to try to break the hash, exploiting a
weakness in the hash algorithm design, i.e., collision attacks, or using brute force attacks. Brute
force involves exhaustive procedures that try all password possibilities, onebyone. Brute force
programs will attempt to crack the password using every combination of numeric, alphabetic, and
special characters available no matter how long it takes.
• There have been several reports questioning the resiliency of the MD5 (128bit) and, more
recently, the SHA1 (160bits) hashing algorithms. New algorithms have called into question the
resiliency of the SHA1 hashing algorithm because those new algorithms can find collisions in an
estimated work factor of 269 hash computations.
• The current NIST recommendation is to consider migrating to the stronger hash functions (SHA256, SHA512). There is no immediate risk to products in deploying SHA1, especially for
message authentication requirements. In fact, companies might be forced to support SHA1 for
legacy support in customer networks.
• The National Institute of Standards and Technology (NIST) has specified in FIPS 1802 the
correct combination of hash size, AES key size, and publickey modulo for specific
authentication levels of security. For example, if a message is being signed with a digital
signature algorithm that provides 128 bits of security, then that signature algorithm may require
the use of a secure hash algorithm that also provides 128 bits of security (e.g., SHA256).
• In table above, the minimum RSA publickey size refers to the bitlength of the RSA modulo.
The RSA public key algorithm uses a nonprime large number, RSA modulo n, that is equal to the
product of the two large prime factors p and q. 12 Integrity and Authentication SHA Operations
• Bitwise logical word operations
—
—
—
— x ^ y = bitwise logical "and" of x and y.
x ν y = bitwise logical "inclusiveor" of x and y.
x XOR y = bitwise logical "exclusiveor" of x and y.
¬ x = bitwise logical "complement" of x. • Addition modulo 2w
— X + Y is defined as follows: words x and y represent integers X and Y, where
0 ≤ X ≤ 2w and 0 ≤ Y ≤ 2w. For positive integers U and V, let U mod V be the
remainder upon dividing U by V. Compute Z = (X + Y) mod 2w. Then 0 ≤ Z ≤
2w. Convert Z to a word, z, and define z = x + y. • ROTLn(x) = (x << n) v (x >> w  n). (Circular left shift operation)
— x << n is obtained as follows: discard the leftmost n bits of X and then pad
the result with n zeroes on the right (the result will still be w bits).
— x >> w  n is obtained by discarding the rightmost w  n bits of X and then
padding the result with n zeroes on the left.
Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 13
M. Mogollon – 01/08  13 • The AND function sets the resulting bit to 1, if the corresponding bit in both operands is 1,
otherwise the result is 0.
• Inclusive OR means that if either or both of the operands are 1, the result is 1, otherwise the result
is 0.
• Exclusive OR means that if just one of the operands is 1 the result is 1, otherwise the result is 0.
• The Complement operator inverts the value of each bit of the operand: if the operand bit is 1 the
result is 0 and if the operand bit is 0 the result is 1.
• The following table shows AND, Inclusive OR, and Exclusive OR functions
p q p^q
(AND) pvq
(OR) pq
(XOR) 0 0 0 0 0 0 1 0 1 1 1 0 0 1 1 1 1 1 1 0 13 Integrity and Authentication Secure Hash Algorithm SHA1
• SHA1 is used to generate a condensed representation of a
message called a message digest. • The SHA1 is required for use with the Digital Signature Algorithm
(DSA), as specified in the Digital Signature Standard (DSS), and
whenever a secure hash algorithm is required for federal
applications. • The SHA1 sequentially processes blocks of 512 bits when
computing the message digest; padding is required, even if the
message is a multiple of 512. Padding is done as follows:
— Append a “1” bit followed by a “0” bits until the length is 64 bits less than a
multiple of 512 (length = 448 mod 512).
— Append a 64bit representation of the prepadded message length. • The padded message length is 512 × n. Integrity MAC HASH SHA MD5 Hash functions are used to prove
that the transmitted data was not
altered. HMAC Authentication Digital Signatures 14 M. Mogollon – 01/08  14 • The National Institute of Standards and Technology, NIST, developed the Secure Hash Algorithm
(SHA1). The current FIPS PUB 1801 supersedes FIPS PUB 180, published on May 11, 1993.
The SHA1 is required for use with the Digital Signature Algorithm (DSA), as specified in the
Digital Signature Standard (DSS), and whenever a secure hash algorithm is required for federal
applications.
• The SHA1 is designed so it is computationally infeasible to find a message, which corresponds to,
a given message digest, or to find two different messages which produce the same message digest.
• The SHA1:
• Works on messages up to 264 in length.
• Produces a 160bit message digest.
• Pads a message to a multiple of 512 bits (length = 448 mod 512).
• Carries eighty operations on its main algorithm.
• Performs a nonlinear operation on three of the five variables A, B, C, D, and E in each
operation. 14 Integrity and Authentication Computing SHA1 Message Digest
512 bits Message Block M(N) 512 bits Message Block M1
8 bits 8 bits 8 bits .. 8 bits 8 bits Word [0] 8 bits H0(0)
H1(0)
H2(0)
H3(0)
H4(0) 8 bits a = H0(0)
b = H1(0)
c = H2(0)
d = H3(0)
e = H4(0) MAC 8 bits 8 bits New H Values H0(1) = a + H0(0)
H1(1) = b + H1(0)
H2(1) = c + H2(0)
H3(1) = d + H3(0)
H4(1) = e + H4(0) HASH 8 bits .. 8 bits Word [0] Message
Block M(2) Compression
Function Integrity 8 bits Word [15] Message
Block M(1) Initial H
Values 8 bits Compression
Function a = H0(1)
b = H1(1)
c = H2(1)
d = H3(1)
e = H4(1) SHA MD5 8 bits 8 bits 8 bits Word [15] Message
Block M(N) New H Values ... HMAC New H Values a = H0(N  1)
b = H1(N  1)
c = H2(N  1)
d = H3(N  1)
e = H4(N  1) H0(2) = a + H0(1)
H1(2) = b + H1(1)
H2(2) = c + H2(1)
H3(2) = d + H3(1)
H4(2) = e + H4(1) Compression
Function H0(N) = a + H0(N  1)
H1(N) = b + H1(N  1)
H2(N) = c + H2(N  1)
H3(N) = d + H3(N  1)
H4(N) = e + H4(N  1) Authentication Digital Signatures 15
M. Mogollon – 01/08  15 • The SHA1 sequentially processes blocks of 512 bits when computing the message digest and
padding is required, even if the message is a multiple of 512. Suppose that the length of the
message, M, is l bits and k is the number of zero bits. Padding is done as follows:
• A 1 bit followed by 0 bits are appended until the length is 64 bits less than a multiple of 512, (l
+ 1 + k = 448 mod 512).
• A 64bit block that is equal to the number l expressed using a binary representation is
appended. The padded message length is 512 × n.
• The message is divided in 512bit message blocks, and each block into 16 words W[0], W[1], ... ,
W[15], where W[0] is the leftmost word.
• The initial H values do not change.
• H [0] = 67452301
• H [1] = EFCDAB89
• H [2] = 98BADCFE
• H [3] = 10325476
• H [4] = C3D2E1F0.
• After the first message block is compressed, each word is added to the initial H word values.
• The new H values become the initial H values for the second block. The process continues in the
same manner.
• The last H values are concatenated and become the hash value. 15 Integrity and Authentication SHA1 Compression Function
Initialization
H0(0) = 67452301
H1(0) = EFCDAB89
H2(0) = 98BADCFE
H3(0) = 10325476
H4(0) = C3D2E1F0 Buffer 1
H0(0) H1(0) H2(0) H3(0) H4(0) a b c d e Initial H0(0) H1(0) H20) H30) H40) Buffer 2
t 0  t 79 at bt ct dt t=0 et t = 78
t = 79
a79 b79 c79 + + + H0(0) H0 Integrity MAC 1 d79 e79 + + H1(0) H2(0) H3(0) H1 HASH 1 H2 1 H3 SHA 1 a = T;
T = ROTL5(a) + ft (b,c,d) + e + W t + Kt;
c = ROTL30 (b) H4(0) H4 1 Next
Block
M(2) MD5 HMAC Authentication Digital Signatures 16
M. Mogollon – 01/08  16 • The SHA1 computation uses two buffers, each consisting of five 32bit words, and a sequence of
eighty 32bit words. The words of the first 5word buffer are labeled H0, H1, H2, H3, H4. The
words of the second 5word buffer are labeled a, b, c, d, and e.
• After the last round, the a, b, c, d, and e words are added to the initial H word values.
• The new H values are used as the new initialization vectors for the next block.
• After the last message block, Mn, has been processed, the message digest is the 160bit string
represented by the 5 words Hn[0] Hn[1] Hn[2] Hn[3] Hn[4]. 16 Integrity and Authentication
512 bits Message Block M1 SHA1 Rounds 8 bits 8 bits 8 bits 8 bits .. 8 bits W0 8 bits 8 bits 8 bits W15 For t = 0 to 16 let Wt equal to the message W0
…W15
For t = 16 to 79 let a b c d Initial H0(0) H1(0) H20) H30) Wt = ROTL1 (Wt3 XOR Wt8 XOR Wt14 XOR e Wt16) H40) For t = 0 to 79 do
a = T; b = a; c = ROTL30 (b); d = c; e = d; t=0 Where:
T = ROTL5(a) + ft (b,c,d) + e + Wt + Kt; t = 78 ROTL5(a) = (a << 5) v (a >> 325)
Kt = 5A827999 (0 ≤ t ≤19) Kt = 6ED9EBA1 t = 79 (20 ≤ t ≤39) Kt = 8F1BBCDC (40 ≤ t ≤59) Kt = CA62C1D6 (60 ≤t ≤79) f t (b, c, d) = ( b ∧ c ) ⊕ (¬ b ∧ d )
f t (b, c, d) = b ⊕ c ⊕ d
f t (b, c, d) = ( b ∧ c ) ⊕ ( b ∧ d ) ⊕ ( c ∧ d )
f t (b, c, d) = b ⊕ c ⊕ d Integrity MAC HASH SHA MD5 HMAC Authentication (0 ≤ t ≤ 19)
(20 ≤ t ≤ 39)
(40 ≤ t ≤ 59)
(60 ≤ t ≤ 79). Digital Signatures 17
M. Mogollon – 01/08  17 • There are 80 rounds in SHA1.
• In each round, the words A, B, C, D, and E are transformed according to specific formulas.
• As the arrows indicate, A becomes B, C becomes D, and D becomes E.
• The new A value is calculated according to the T formula.
• The new C value is calculated according the formula c = ROTL30 (b);
• ROTL30(b) = (b << 30) v (b >> 32  30).
• b << 30 is obtained as follows: discard the leftmost 30 bits of b and then pad the result with
30 zeroes on the right (the result will still be 32 bits).
• b >> 32  30 is obtained by discarding the rightmost 2 bits of b and then padding the result
with 2 zeroes on the left.
• Thus ROTL 30(b) is equivalent to a circular shift of b by 30 positions to the left. 17 Integrity and Authentication MD5
• MD2, MD4, and MD5 are messagedigest algorithms developed by
Ronald Rivest in 1989, 1990, and 1991. • All three algorithms produce a 128bit message digest of the
message input that may have any length, but, in reality it is
expected that the message will have less than 264 bits. • The MD5 sequentially processes blocks of 512 bits when computing
the message digest, and padding is required even if the message is
a multiple of 512. Padding is done as follows:
— Append a “1” bit followed by a “0” bits until the length is 64 bits less than a
multiple of 512 (length = 448 mod 512).
— Append a 64bit representation of the prepadded message length • The padded message length is 512 × n. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 18
M. Mogollon – 01/08  18 18 Integrity and Authentication Computing MD5 Message Digest
512 bits Message Block M1
8 bits 8 bits 8 bits .. 8 bits 8 bits Word [0] 8 bits 512 bits Message Block Mn
8 bits 8 bits 8 bits Message
Block M2 Initial
Values Compression
Function A
B
C
D AA1[64]
BB1[64]
CC1[64]
DD1[64] MAC 8 bits New A,B,C,D
Values HASH .. 8 bits AA2[64]
BB2[64]
CC2[64]
DD2[64] SHA 8 bits 8 bits 8 bits Word [15] Message
Block Mn Compression
Function A = A + AA1[64]
B = B + BB1[64]
C = C + CC1[64]
D = D + DD1[64] 8 bits Word [0] Word [15] Message
Block M1 Integrity 8 bits New A,B,C,D
Values
A = A + AA2[64]
B = B + BB2[64]
C = C + CC2[64]
D = D + DD2[64] MD5 HMAC ... Compression
Function AAn[64]
BBn[64]
CCn[64]
DDn[64] Authentication New A,B,C,D
Values
A = A + AAn[64]
B = B + BBn[64]
C = C + CCn[64]
D = D + DDn[64] Digital Signatures 19
M. Mogollon – 01/08  19 • MD5 sequentially processes blocks of 512 bits when computing the message digest and padding is
required, even if the message is a multiple of 512. Padding is similar to SHA1 and it is done as
follows:
• A single 1 bit followed by 0 bits is appended until the length is 64 bits less than a multiple of
512 (length = 448 mod 512), then,
• A 64bit representation of the prepadded message length is appended.
• The padded message length is 512 × n.
• The message is divided in 512bit message blocks, and each block into 16 words W[0], W[1], ... ,
W[15], where W[0] is the leftmost word.
• MD5 uses a fourword buffer (A, B, C, and D) to compute the message digest. A, B, C, and D are
32bit registers and are initialized with the following values in hexadecimal:
A = 01 23 45 67
B = 89 ab cd ef
C = fe dc ba 98
D = 76 54 32 10
• After the first message block is compressed, each word AA, BB, CC, and DD, is added to the
initial A, B, C, and D word values.
• The new A, B, C, and D values become the initial A, B, C, and D values for the second block. The
process continues in the same manner.
• The last A, B, C, and D values are concatenated and become the message digest value. 19 Integrity and Authentication MD5 Implementation Initialization
A = 01
B = 89
C = fe
D = 76 Buffer 1
A B C 45
cd
ba
32 67
ef
98
10 D
A Buffer 2
Round 1 23
ab
dc
54 t 0  t 15 At Bt Ct Dt t 0  t 15 At Bt Ct BB CC DD C D an Dt AA B Buffer 2
Round 4 Integrity MAC HASH SHA After the last message block, Mn, has
been processed, the message digest
is the 128bit string represented by
the 4 words A B C D. Next
Block MD5 HMAC Authentication Digital Signatures 20
M. Mogollon – 01/08  20 • MD5 has four rounds and each round has 16 transformations.
• In each round, the words A, B, C, and D are transformed according to specific formulas.
• As the arrows indicate, B becomes C, C becomes D, and D becomes A.
• The new B value is calculated according to the function an
• The function an is different for each round. 20 Integrity and Authentication MD5 Rounds
Round 1 B C D = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s) a2 = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s) Round 3
A a1 Round 2 a3 = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s) Round 4 a4 = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s) Where:
an F(b,c,d) = bc v not (b) d G(b,c,d) = bd v c not (d) H(b,c,d) = b xor c xor d I (b,c,d) = c xor (b v not (d)) X[k] represents the kth subblock of the message (from 0 to 15).
T[i] is the integer part of 4294967296 times abs(sin(i)),
where I is in radians. Note 4294967296 is 232.
<<< s represents a left shift of s bits Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 21
M. Mogollon – 01/08  21 21 Integrity and Authentication SHA1 and MD5 Comparison
Secure Hash Algorithm (SHA1) Message Digest 5 (MD5) • Developed by NSA and is required
for use with the Digital Signature
Algorithm (DSA) 1991 (MD2 in 89, MD4 in 90). • Works on messages up to 264 in • Works on messages up to 264 in length. length. • Produces a 128bit message • Produces a 160bit message digest. digest. • Processes block messages of 512 • Processes block messages of 512 bits. bits. • Has four rounds of sixteen • Has four rounds of twenty operations in main loop of
algorithm. operations in main loop of
algorithm. • Performs a nonlinear operation • Performs a nonlinear operation on three of the four variables A, B,
C, D in each operation on three of the five variables a, b,
c, d, e in each operation
Integrity MAC HASH SHA • Developed by Ronald Rivest in MD5 HMAC Authentication Digital Signatures 22
M. Mogollon – 01/08  22 • Hash functions are used to prove that the transmitted data was not altered.
• SHA1 is better than MD5 because it has a longer message digest and because it performs more
linear operations on more variables than MD5.
• Besides, MD5 has been deprecated because it has a known collision weakness. 22 Integrity and Authentication KeyedHash Message Authentication
Code (HMAC)
IP Header AH Message PAD
Hash Function
SHA1 or MD5 Shared Key
128 bit 160 or
128 bits
Hash Function
SHA1 or MD5 160 or
128 bits • HMAC is cryptographically strong way to use a specific hash function for MAC
calculation. • The hash function is applied twice in succession.
— In the first round, the input to the hash function is the shared secret key and the message.
— The 160bit or 128bit output hash value and the key are input again to the hash function in the
second round. • HMAC output could be truncated (i.e., the length of the MAC used is less than the
length of the output of the MAC function). If HMAC is truncated to 96 bits, it is then
called HMACMD596 or HMACSHA196
Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 23
M. Mogollon – 01/08  23 • The Federal Information Processing Standards FIPS PUB 198 (2002) describes HMAC as a
mechanism for message authentication using cryptographic hash functions. HMAC can be used
with any approved cryptographic hash function in combination with a shared secret key. The
cryptographic strength of a HMAC depends on the properties of the underlying hash function. The
HMAC specified in FIPS PUB 198 is a generalization of Internet RFC 2104 (Krawczyk, Bellare,
& Canetti, 1997), HMAC, “KeyedHashing for Message Authentication,” and ANSI X9.71,
“Keyed Hash Message Authentication Code.”
• In HMAC a shared secret and the message are mixed into the digest, H(S+M). At he destination,
the recipient use his own copy of S to create H'(S+M).
• When HMAC is used, the strength of the integrity protection depends on the secrecy of S and the
inability of the attacker to figure out S. Kerberos’ tickets can be used as the shared secret.
• HMAC provides message integrity. 23 Integrity and Authentication HMAC Implementation
B Block size (in bytes) of the hash function input.
An approved hash function.
Inner pad; 00110110 (the byte 36 in
hexadecimal) repeated B times.
K
Secret key shared between the originator and
the intended receiver(s).
K0
The key K after any necessary preprocessing to
form a B byte key.
L
Bytelength of the hash function output.
opad Outer pad; 01011100 (the byte 5c in
hexadecimal repeated B times.
t
The number of bytes of MAC.
text The data on which the HMAC is calculated; text
does not include the padded key. The length of
text is n bits, where 0 ≤ n < 2B  8B.
x’N’ Hexadecimal notation, where each symbol in the
string ‘N’ represents 4 binary bits.

Concatenation
XOR ExclusiveOr operation.
H
ipad Determine K0
K0 XOR ipad
K0 XOR ipad text H ((K0 XOR ipad)  text )
K0 XOR opad
K0 XOR opad H ((K0 XOR ipad)  text ) B (Bytes) L (Bytes) MD5 64 16 SHA1 64 20 DES 8 8 3DES 8 8 H ((K0 XOR opad)  H ((K0 XOR ipad)  text )
MAC (text)t = Leftmost “t” bytes of
H ((K0 XOR opad)  H ((K0 XOR ipad)  text )
Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 24
M. Mogollon – 01/08  24 • The hash function is applied twice in succession.
• In the first round, the input to the hash function is the shared secret key and the message.
• The 128bit output hash value and the key is input again to the hash function in the second
round.
• The two rounds are highlighted in green.
• The table shows B (block byte length) and L (byte length) of the different approved hash functions
used with HMAC. A byte is equal to 8 bits.
• Some HMAC implementation truncates the output H to a given length t, so only part of the hash is
outputted. RFC2104 (Krawczyk, Bellare, & Canetti, 1997) recommends that t should not be less
than half of the original hash output. The HMAC notation is as follows: HMAC – Hash algorithm
– t. For example, HMACSHA196 is a HMAC that uses SHA1 for its hash function, and the
resulting hash is truncated to 96 bits. The SHA1 output is 160 bits. 24 Integrity and Authentication What is Authentication?
authentication / n. (1) The act of identifying or verifying the entity
that originated the message or the corroboration (proof) of the
sender's identity, i.e., that he is who he claims to be. Written
messages are authenticated with a handwritten signature so the
receiver of the message is able to validate the message. (2) access.
The act of identifying or verifying the eligibility of a station,
originator, or individual to access specific categories of information. digital signature / n. electronic equivalent of a signature on a
message. It combines a oneway hash function with public key
cryptography. A digital signature must be a function of the
documents it signs. A Digital Signature is created by taking the
hash function of a message and encrypting it with the sender’s
private key. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 25
M. Mogollon – 01/08  25 • Authentication is the act of identifying or verifying the entity that originated the message. It can
also mean the corroboration (proof) of the sender's identity and authenticity, that he is the one he
claims to be. When a written message is sent, the message is authenticated with a handwritten
signature so the receiver of the message is able to validate the message.
• While passwords can be used for establishing identity, it is better to use publickey digital
signatures, such as the DSS and the RSA because of their strong authentication mechanisms.
• When using publickey digital signatures, each entity requires a public key and a private key.
Certificates are an essential part of a digital signature authentication mechanism. Certificates bind a
specific entity's identity (be it host, network, user, or application) to its public keys and, possibly,
to other securityrelated information such as privileges, clearances, and compartments.
Authentication based on digital signatures requires a trusted third party or certificate authority to
create, sign, and properly distribute certificates. 25 Integrity and Authentication Authentication
Assurance that the message is coming
from the source from which it claims to
be. Authentication Digital Signatures MD5 ElGamal RSA Digital signatures provide
authentication, nonrepudiation,
and integrity. DSA RSA Hash
Functions SHA SHA DSA ECDSA A digital signature is created by taking the message’s hash and
encrypting it with the sender’s private key. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 26
M. Mogollon – 01/08  26 • The DSS standard specifies a suite of algorithms which can be used to generate a digital signature.
Those algorithms are: DSA, RSA, and ECDSA.
• Note that the ElGamal digital signature signs the message and not the message’s hash, as do RSA
and the DSA. 26 Integrity and Authentication Digital Signatures
• A digital signature is the electronic analogue of a handwritten
signature. Digital signatures provide the following:
— Authentication It should be possible for the recipient of a message to
ascertain its origin.
— Nonrepudiation A sender should not be able to later deny having sent and
signed the message.
— Integrity It should be possible for the recipient of the message to verify that it
has not been modified in transit. • A digital signature must provide the following assurances:
— The signature is not forgeable.
— The signature can be validated.
— Once a message is signed, the sender must not be able to repudiate it. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 27
M. Mogollon – 01/08  27 • Digital signatures provide a way to verify that a message has not been altered in transit, and for a
recipient to be certain of the originator's identity. 27 Integrity and Authentication Digital Signatures
Alice’s
Private Key
Hash Encipher Alice’s
Public Key
Digital
Signature Digital
Signature Hash Decipher Hash
Function Verification
Cleartext
Message Cleartext
Message Message Alice (Sender) Hash
Function Hash Bob (Recipient)
If both values are equal, the message is from
Alice and it has not been tampered with. A Digital Signature is created by taking the hash function of a message and
encrypting it with the sender’s private key. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 28
M. Mogollon – 01/08  28 • A Digital Signature is created by hashing the message and taking the hash result and encrypting
(signing) it with the sender’s private key. Signing the message digest rather than the message often
improves the efficiency of the process because the message digest is usually much smaller in size
than the message. The cleartext message is concatenated with the digital signature.
• The figure above shows how authentication is achieved using digital signatures. Alice hashes the
message and the hash is encrypted using Alice’s private key. Alice transmits the message in clear
concatenated with the digital signature. When Bob receives the message, he deciphers the digital
signature using Alice’s public key and obtains the message hash. Bob then hashes the cleartext
message and compares both hashes. If both hashes are the same, then the message has not been
modified and it came from Alice.
• The following are the requirements for a digital signature:
• The signature must be a bit pattern that depends on the message being signed.
• The signature must use some information unique to the sender, the sender’s private key, to
prevent both forgery and denial.
• It must be very easy to produce.
• It must be very easy to recognize and verify.
• It must be computationally infeasible to forge a digital signature, either by constructing a new
message for an existing digital signature or by constructing a fraudulent digital signature for a
given message.
• It must be possible to store a copy. 28 Integrity and Authentication Digital Signatures
• The Digital Signature Standard (DSS), FIPS Pub 1862,
prescribes three algorithms suitable for digital
signatures:
— Digital Signature Algorithm (DSA)
– Standard for digital authentication.
– Initial 512bit key size increased to 1024 for better security.
— RSA algorithm
– Uses MD5 as a hash and RSA public Key for signing.
— ECDSA algorithm.
– Described in Appendix 6 of the FIPS Pub 1862 are the
recommended Elliptic Curves for Federal Government use. • ElGamal
— Signs the message, not the message digest of the message.
Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 29
M. Mogollon – 01/08  29 • The FIPS Pub 1862, issued on January 27, 2000, is the specification for the Digital Signature
Standard (DSS), which prescribes three algorithms suitable for digital signatures: the Digital
Signature Algorithm (DSA), the RSA algorithm, the ECDSA algorithm.
• For a digital signature to work, the signatory and the verifier need to have their public and private
keys. The private key is used in the signature generation process, and the public key is used in the
signature verification process. Also, the Secure Hash Algorithms (SHA), specified in FIPS 1802
are used for both signature generation and verification.
• If a message is signed with Alice’s private key, then it is possible to assume that only Alice signed
the message because she is the only one who has that private key. A spoofer, who does not know
Alice’s private key, cannot generate Alice’s correct signature. In other words, digital signatures
cannot be forged. In the same way, if a message is enciphered with Bob’s public key, only Bob
will be able to decipher the message because it is assumed that only Bob has Bob’s private key.
• Because there is the possibility that a spoofer may post his own public key as Alice’s or Bob’s, it is
necessary to have a means of associating a user's identity and the user's public key. A mutually
trusted party, a certifying authority, could sign credentials containing the user’s public key and
identity by creating a digital certificate that binds the certificate to the user. 29 Integrity and Authentication Digital Signature Algorithm (DSA)
Alice Bob p, q, g, y p, q, g
x
y = gx mod p
k r = (g mod p) mod q
s = (k 1(H(m) + x r)) mod q Send Message m
and Alice’s signature,
r and s H (m) = Secure Hash Algorithm of
message m Bob verifies signature by
computing
w = (s′)1 mod q
u1 = ((H(m′) w) mod q
u2 = ((r′) w) mod q
v = ((g u1 y u2) mod p) mod q p, q, and g can be public.
x is an integer with 0 < x < q.
Alice’s private and public keys are x and y.
x and k must be secret.
k must be changed for each signature. Integrity MAC HASH SHA MD5 If v = r, then the signature is
verified.
m′, r′, and s′ are the received
versions of m, r, and s, HMAC Authentication Digital Signatures 30
M. Mogollon – 01/08  30 • If you are not interested in the mathematics involved, just remember that Alice and Bob need to
agree on the integers p, q, and g, which can be public and can be common to a group of users.
• Alice generates her private and public keys, x and y, respectively, and then calculates two numbers
r and s that are sent to Bob.
• Parameters x and k are used for signature generation only, and must be kept secret. Parameter k
must be changed for each signature –message signed.
• Bob makes several calculations, based on the numbers sent by Alice, and he arrives at a value v. If
the value v, calculated by Bob, and the value r, sent by Alice, are the same, then the signature is
validated and the message has not been changed.
• DSS, some times called Digital Signature Algorithm (DSA), cannot be used for encryption or key
distribution. The algorithm gets its security from the difficulty of computing discrete logarithms in
a Galois field.
p is a prime modulus, where 2L1 < p < 2L.
q is a 160bit prime factor of p – 1, where 2159 < q <2160.
g = h (p  1) / q mod p, where h is any number 1 < h < p such that h (p  1) / q mod q > 1.
• x = a randomly or pseudo randomly generated integer with 0 < x < q.
• y = gx mod p.
• k = a randomly or pseudo randomly generated integer with 0 < k < q.
H (m) = Secure Hash algorithm. 30 Integrity and Authentication Authentication and Confidentiality
Encipher Session
Key Sender’s
Private Key Hash Encipher RSA Digital
Signature RSA Digital Envelope
Encipher Cleartext
Message Hash
SHA1 Signed Cipher
Message (Symmetric) Sender’s
Certificate
Message Sender
Digital Envelope Recipient Decipher Decipher Sender’s
Public Key DSS / RSA Digital
Signature Hash Hash
SHA1
Hash
Verification Integrity MAC HASH Session
Key Sender’s
Certificate
Decipher
Symmetric Signed Cipher
Message Deciphered
Message
Yes/No
SHA MD5 HMAC Authentication Digital Signatures 31
M. Mogollon – 01/08  31 • Some protocols rely on cryptography and digital certificates to ensure message confidentiality and
authentication. Whenever endusers, and Certificate Authorities are exchanging information,
either to get a certificate, to place orders, or to request payment authorization, the information is
secured using digital signatures, digital envelopes and encryption.
• The following steps describe the authentication and confidentiality:
• The sender generates a random session. The session key is a onetime secret key used to
encipher the message by encrypting it with a symmetric encryption algorithm.
• The message is hashed using SHA1 and signed using RSA with the sender’s private key
creating a digital signature.
• The cleartext message is concatenated with the digital signature and the sender’s certificate.
• The cleartext message, digital signatures, and certificate are enciphered with a symmetric
algorithm (AES) using the onetime secret key generated previously by the sender.
• The onetime session key is enciphered with RSA using the recipient’s public key. The
enciphered onetime session key is called a Digital Envelope.
• The enciphered session key is concatenated with the signed cipher message.
• To decipher and authenticate the message, the receiver performs the above steps in reverse. 31 Integrity and Authentication RSA Encryption and Digital Signature
Receiver’s
Public Key
Plaintext
Message Message Sender Encipher
Encipher Signed
Cipher
Message Digital
Signature Hash
MD5 Decipher Digital
Signature
Encipher
Sender’s
Private Key Tr is
sm
an o
si n M ia
ed Receiver’s
Private Key Deciphered
Message
Hash
MD5 Digital
Signature
Decipher Sender’s Public Key Receiver Hash
Verification Yes/No Hash Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 32
M. Mogollon – 01/08  32 • A Digital Signature is created by taking the hash function of a message and encrypting it with the
sender’s private key.
• The digital signature and message are concatenated and enciphered with the receiver’s public key.
• The receiver deciphers the encrypted information using his private key and gets the plaintext
message and the digital signature.
• The receiver deciphers the digital signature using the sender’s public key and gets the message’s
hash.
• The receiver creates a message hash using the deciphered plaintext and compares both hashes. 32 Integrity and Authentication ElGamal Digital Signature
Alice
• Let M be a document to be signed, where
0 ≤ m ≤ p  1. Bob • Select a large prime number as p, the modulo.
• Choose a random number RA, uniformly between • Alice sends M, VA, and
SA to Bob 0 and p  1, such that gcd (RA, p  1) = 1. • Compute • For authentication, Bob V A = a R A mod p M, VA, SA computes M
C B = a mod p where a, the base, is a primitive root modulus p. • Generate the private and public keys according to
DiffieHellman S
C B′ = [ PubV A * V A A ] mod p
A • If CB = CB′, then M is Pub A = a Priv A mod p authentic. • Find IRA, the multiplicative inverse of RA such that
RA * IRA ≡ 1 [mod (p  1)] • Compute SA, the signature
S A = [ I RA * ( M  V A * Priv A ) ] mod (p  1)
Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 33
M. Mogollon – 01/08  33 • Alice selects a random number RA, computes VA, and generates her private and public key
according to DiffieHellman.
• Then, Alice finds IRA, the multiplicative inverse of RA and computes SA.
• Alice sends M (message), VA, and SA.
• Bob calculates CB and CB’ and if both are the same, then M is authentic. 33 Integrity and Authentication To Probe Further
•
• MD5 Message Digest Algorithm, RFC 1321 • Kohnfelder, L. M. (February 1978). On the Signature Reblocking Problem in
PublicKey Cryptosystems (p. 179). Communications of the ACM, Vol. 21,
No. 2. • National Institute of Standards and Technology (1995). Secure Hash
Standard. FIPS PUB 1801. • National Institute of Standards and Technology (1995). The KeyedHash
Message Authentication Code. FIPS PUB 198 • National Institute of Standards and Technology (2000). Digital Signature
Standard. FIPS PUB 1862 • Newman, D. B., Omura, J K., Pickholtz, R. L. (April 1987). Public Key
Management for Network Security (pp. 1213). IEEE Network Magazine, Vol.
1, No. 2. ElGamal, T.A. (July 1985). Public Key Cryptosystem and a Signature
Scheme Based on Discrete Logarithms (pp. 469472). IEEE Transactions on
Information Theory, Vol. IT31. Integrity MAC HASH SHA MD5 HMAC Authentication Digital Signatures 34
M. Mogollon – 01/08  34 34 ...
View
Full
Document
This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.
 Spring '10
 Mogollon

Click to edit the document details