Posted Below

DrunkenCheetha

chap12.pdf

Home >Information Systems homework help >Posted Below

Cryptography and Network Security:

Principles and Practice Eighth Edition

Chapter 12

Message Authentication Codes

Message Authentication

Requirements (1 of 2) • Disclosure

– Release of message contents to any person or process not

possessing the appropriate cryptographic key

• Traffic analysis

– Discovery of the pattern of traffic between parties

• Masquerade

– Insertion of messages into the network from a fraudulent

source

• Content modification

– Changes to the contents of a message, including insertion,

deletion, transposition, and modification

Message Authentication

Requirements (2 of 2) • Sequence modification

– Any modification to a sequence of messages between

parties, including insertion, deletion, and reordering

• Timing modification

– Delay or replay of messages

• Source repudiation

– Denial of transmission of message by source

• Destination repudiation

– Denial of receipt of message by destination

Message Authentication Functions

• Two levels of functionality:

• Lower level

– There must be some sort of

function that produces an

authenticator

• Higher-level

– Uses the lower-level function

as a primitive in an

authentication protocol that

enables a receiver to verify the authenticity of a message

• Hash function

– A function that maps a message

of any length into a fixed-length

hash value which serves as the

authenticator

• Message encryption

– The ciphertext of the entire

message serves as its

authenticator

• Message authentication code (M A C)

– A function of the message and a

secret key that produces a

fixed-length value that serves as

the authenticator

Figure 12.1 Basic Uses of Message

Encryption

Figure 12.2 Internal and External

Error Control

Figure 12.3 T C P Segment

Public-Key Encryption

• The straightforward use of public-key encryption provides

confidentiality but not authentication

• To provide both confidentiality and authentication, A can

encrypt M first using its private key which provides the

digital signature, and then using B’s public key, which

provides confidentiality

• Disadvantage is that the public-key algorithm must be

exercised four times rather than two in each

communication

Figure 12.4 Basic Uses of Message

Authentication code (M A C)

Requirements for M A Cs

• Taking into account the types of attacks, the M A C needs to

satisfy the following:

• The first requirement deals with message replacement

attacks, in which an opponent is able to construct a new

message to match a given M A C, even though the

opponent does not know and does not learn the key

• The second requirement deals with the need to thwart a

brute-force attack based on chosen plaintext

• The final requirement dictates that the authentication

algorithm should not be weaker with respect to certain

parts or bits of the message than others

Brute-Force Attack

• Requires known message-tag pairs

– A brute-force method of finding a collision is to pick a

random bit string y and check if H(y) = H(x)

• Two lines of attack:

– Attack the key space

▪ If an attacker can determine the M A C key then it is

possible to generate a valid M A C value for any input

– Attack the M A C value

▪ Objective is to generate a valid tag for a given

message or to find a message that matches a given

tag

Cryptanalysis

• Cryptanalytic attacks seek to exploit some property of the

algorithm to perform some attack other than an exhaustive

• An ideal M A C algorithm will require a cryptanalytic effort

greater than or equal to the brute-force effort

• There is much more variety in the structure of M A Cs than

in hash functions, so it is difficult to generalize about the

cryptanalysis of M A Cs

M A Cs Based on Hash Functions:

H M A C • There has been increased interest in developing a M A C

derived from a cryptographic hash function

• Motivations:

– Cryptographic hash functions such as M D5 and S H A

generally execute faster in software than symmetric

block ciphers such as D E S

– Library code for cryptographic hash functions is widely

available

• H M A C has been chosen as the mandatory-to-implement

M A C for I P security

• Has also been issued as a N I S T standard (F I P S 198)

H M A C Design Objectives

• R F C 2104 lists the following objectives for H M A C:

– To use, without modifications, available hash functions

– To allow for easy replaceability of the embedded hash

function in case faster or more secure hash functions

are found or required

– To preserve the original performance of the hash

function without incurring a significant degradation

– To use and handle keys in a simple way

– To have a well understood cryptographic analysis of

the strength of the authentication mechanism based on

reasonable assumptions about the embedded hash

function

Figure 12.5 H M A C Structure

Figure 12.6 Efficient Implementation

of H M A C

Security of H M A C

• Depends in some way on the cryptographic strength of the

underlying hash function

• Appeal of H M A C is that its designers have been able to

prove an exact relationship between the strength of the

embedded hash function and the strength of H M A C

• Generally expressed in terms of the probability of

successful forgery with a given amount of time spent by

the forger and a given number of message-tag pairs

created with the same key

Figure 12.7 Data Authentication

Algorithm (F I P S P U B 113)

Figure 12.8 Cipher-based Message

Authentication Code (C M A C)

Authenticated Encryption (A E)

• A term used to describe encryption systems that

simultaneously protect confidentiality and authenticity of

communications

• Approaches:

– Hashing followed by encryption

– Authentication followed by encryption

– Encryption followed by authentication

– Independently encrypt and authenticate

• Both decryption and verification are straightforward for

each approach

• There are security vulnerabilities with all of these

approaches

Counter with Cipher Block Chaining-

Message Authentication Code (C CM) • Was standardized by N I S T specifically to support the security

requirements of I E EE 802.11 W iFi wireless local area networks

• Variation of the encrypt-and-M A C approach to authenticated

encryption

– Defined in N I S T S P 800-38C

• Key algorithmic ingredients:

– A E S encryption algorithm

– C T R mode of operation

– C M A C authentication algorithm

• Single key K is used for both encryption and M A C algorithms

The input to the C CM encryption

process consists of three elements: • Data that will be both authenticated and encrypted

– This is the plaintext message P of the data block

• Associated data A that will be authenticated but not encrypted

– An example is a protocol header that must be transmitted in

the clear for proper protocol operation but which needs to be

authenticated

• A nonce N that is assigned to the payload and the associated

data

– This is a unique value that is different for every instance

during the lifetime of a protocol association and is intended

to prevent replay attacks and certain other types of attacks

Figure 12.9 Counter with Cipher

Block Chaining-Message

Authentication Code (C CM)

Galois/Counter Mode (G C M)

• N I S T standard S P 800-38D

• Designed to be parallelizable so that it can provide high

throughput with low cost and low latency

– Message is encrypted in variant of C T R mode

– Resulting ciphertext is multiplied with key material and

message length information over G F (2128) to generate the

authenticator tag

– The standard also specifies a mode of operation that

supplies the M A C only, known as G M A C

• Makes use of two functions:

– G H A S H - a keyed hash function

– G C T R – C T R mode with the counters determined by simple

increment by one operation

Figure 12.10 G C M Authentication and

Encryption Functions

Figure 12.11 Galois Counter—

Message Authentication Code (G C M)

Key Wrap (K W)

• Most recent block cipher mode of operation defined by

N I S T

– Uses A E S or triple D E A as the underlying encryption

algorithm

• Purpose is to securely exchange a symmetric key to be

shared by two parties, using a symmetric key already

shared by those parties

– The latter key is called a key encryption key (K E K)

• Robust in the sense that each bit of output can be

expected to depend in a nontrivial fashion on each bit of

input

• Only used for small amounts of plaintext

Figure 12.12 Key Wrapping Operation

for 256-Bit Key

Figure 12.13 Key Wrapping Operation

for 256-Bit Key: Stage t

Pseudorandom Number Generation

Using Hash Functions and M A Cs • Essential elements of any pseudorandom number

generator (P R N G) are a seed value and a deterministic

algorithm for generating a stream of pseudorandom bits

– If the algorithm is used as a pseudorandom function

(P R F) to produce a required value, the seed should

only be known to the user of the P R F

– If the algorithm is used to produce a stream encryption

function, the seed has the role of a secret key that must

be known to the sender and the receiver

• A hash function or M A C produces apparently random

output and can be used to build a P R N G

Figure 12.14 Basic Structure of Hash-

Based P R N Gs (S P 800-90)

Figure 12.15 Three P R N G s Based on

H M A C

Summary

• List and explain the possible

attacks that are relevant to

message authentication

• Define the term message

authentication code

• List and explain the

requirements for a message

authentication code

• Present an overview of H M A C

• Present an overview of C M A C

• Explain the concept of

authenticated encryption

• Present an overview of C CM

• Present an overview of G C M

• Discuss the concept of key

wrapping and explain its use

• Understand how a hash function

or a message authentication

code can be used for

pseudorandom number

generation

This work is protected by United States copyright laws and is

provided solely for the use of instructors in teaching their

courses and assessing student learning. Dissemination or sale of

any part of this work (including on the World Wide Web) will

destroy the integrity of the work and is not permitted. The work

and materials from it should never be made available to students

except by instructors using the accompanying text in their

classes. All recipients of this work are expected to abide by these

restrictions and to honor the intended pedagogical purposes and

the needs of other instructors who rely on these materials.