ACN 2013-2014 (4)
of 25
-
Upload
sneha-mehra -
Category
Documents
-
view
215 -
download
0
Transcript of ACN 2013-2014 (4)
-
7/27/2019 ACN 2013-2014 (4)
1/25
MESSAGE INTEGRITY
The cryptography systems that we have studied so far providesecrecy, or confidentiality, but not integrity. However, there areoccasions where we may not even need secrecy but instead musthave integrity.
Document and Fingerprint
One way to preserve the integrity of a document is through the use ofa fingerprint. If Alice needs to be sure that the contents of her
document will not be changed, she can put her fingerprint at thebottom of the document.
-
7/27/2019 ACN 2013-2014 (4)
2/25
The electronic equivalent of the document and fingerprint pair is themessage and digest pair.
Message and digest
Message and Message Digest
-
7/27/2019 ACN 2013-2014 (4)
3/25
The two pairs (document / fingerprint) and (message / messagedigest) are similar, with some differences. The document andfingerprint are physically linked together. The message and messagedigest can be unlinked separately, and, most importantly, the messagedigest needs to be safe from change.
The message digest needs to be safe from change.
Difference
-
7/27/2019 ACN 2013-2014 (4)
4/25
Checking integrity
Checking Integrity
-
7/27/2019 ACN 2013-2014 (4)
5/25
A cryptographic hash function must satisfy three criteria: preimageresistance, second preimage resistance, and collision resistance.
Criteria of a Cryptographic Hash Function
Cryptographic Hash Function Criteria
-
7/27/2019 ACN 2013-2014 (4)
6/25
Preimage Resistance
Cryptographic Hash Function Criteria Contd.
-
7/27/2019 ACN 2013-2014 (4)
7/25
Can we use a conventional lossless compression method such asStuffItas a cryptographic hash function?
Example 1
SolutionWe cannot. A lossless compression method creates a compressedmessage that is reversible.
Can we use a checksum function as a cryptographic hash function?
Example 2
SolutionWe cannot. A checksum function is not preimage resistant, Eve mayfind several messages whose checksum matches the given one.
-
7/27/2019 ACN 2013-2014 (4)
8/25
Second Preimage Resistance
Second preimage
-
7/27/2019 ACN 2013-2014 (4)
9/25
Collision Resistance
Collision
-
7/27/2019 ACN 2013-2014 (4)
10/25
RANDOM ORACLE MODELORACLE MODEL
The Random Oracle Model, which was introduced in 1993 byBellare and Rogaway, is an ideal mathematical model for a hashfunction.
Assume an oracle with a table and a fair coin. The table has two
columns.
a. The message AB1234CD8765BDAD is given for digest calculation.The oracle checks its table.
-
7/27/2019 ACN 2013-2014 (4)
11/25
Example 3
b. The message 4523AB1352CDEF45126 is given for digest
calculation. The oracle checks its table and finds that there is a digestfor this message in the table (first row). The oracle simply gives thecorresponding digest (13AB).
-
7/27/2019 ACN 2013-2014 (4)
12/25
The oracle in Example 3 cannot use a formula or algorithm to createthe digest for a message. For example, imagine the oracle uses theformula h(M) = M mod n. Now suppose that the oracle has alreadygiven h(M1) and h(M2). If a new message is presented as M3 = M1 +M2, the oracle does not have to calculate the h(M3). The new digest isjust [h(M1) + h(M2)] mod n since
Example 4
This violates the third requirement that each digest must be randomlychosen based on the message given to the oracle.
-
7/27/2019 ACN 2013-2014 (4)
13/25
MESSAGE AUTHENTICATION
A message digest does not authenticate the sender of the message. Toprovide message authentication, Alice needs to provide proof that it isAlice sending the message and not an impostor. The digest created bya cryptographic hash function is normally called a modificationdetection code (MDC). What we need for message authentication is a
message authentication code (MAC).
-
7/27/2019 ACN 2013-2014 (4)
14/25
A modification detection code (MDC) is a message digest that can
prove the integrity of the message: that message has not beenchanged. If Alice needs to send a message to Bob and be sure that themessage will not change during transmission, Alice can create amessage digest, MDC, and send both the message and the MDC toBob. Bob can create a new MDC from the message and compare the
received MDC and the new MDC. If they are the same, the messagehas not been changed.
Modification Detection Code (MDC)
-
7/27/2019 ACN 2013-2014 (4)
15/25
Message Authentication Code (MAC)
-
7/27/2019 ACN 2013-2014 (4)
16/25
Security of a MAC
If an attacker intercept the message M and digest h(K|M). How can
an attacker forge a message without knowing the secret key? Thereare three possible cases
1. If the size of the key allows exhaustive search, attacker mayprepend all possible keys at the beginning of the message andmake a digest of the (K|M) to find the digest equal to the oneintercepted. She then knows the key and can successfullyreplace the message with a forged message of her choosing.
2. Given some pairs of message and their MACs, attacker canmanipulate them to come up with a new message and itsMAC.
The security of a MAC depends on the security of the
underlying hash algorithm.
-
7/27/2019 ACN 2013-2014 (4)
17/25
Nested MAC
-
7/27/2019 ACN 2013-2014 (4)
18/25
Hashed MAC (HMAC )
1. The message is dividedinto n blocks, each b
bits.2. The secret key is left padded
with 0 to create a b-bit key.Note that it is recommended
that the secret key (beforepadding ) be longer than bbits where n is the size of theHMAC.
3. The result of step 2 is
exclusive-ored with a constantcalled ipad (input pad) to createa b-bit block. The value ofipad is the b/8 repetition of thesequence 00110110 (36 in
Hexadecimal)
-
7/27/2019 ACN 2013-2014 (4)
19/25
Hashed MAC (HMAC) Cond.
4. The resulting block is prepended to N-block message. The result isN+1 blocks.
5. The result of step 4 is hashed to create an n-bit digest. It is called asintermediate HMAC.
6. The intermediate n-bit HMAC is left padded with 0s to make a b-bitblock.
7. Steps of 2 and 3 are repeated by a different constant opad(OutputPad). The value of opad is the b/8 repetition of the sequence01011100(5C in hexadecimal)
8. The result of step 7 is prepended to the block of step 6.9. The result of step is hashed with the same hashing algorithm to create
the final n-bit HMAC
-
7/27/2019 ACN 2013-2014 (4)
20/25
Cipher Block Chaining (CBC)
n Cipher Block Chaining mode ensures that even if a block of plain
text repeats in the input, these two or more identical plain text
blocks yield totally different cipher text blocks in the output. For
this, a feedback mechanism is used.
n First step receives two inputs: the first block of plain text and a
random block of text called as Initialization Vector (IV)
n Remember that the IV is used only in the first plain text block.
However, the same key is for encryption of all plain text blocks.
-
7/27/2019 ACN 2013-2014 (4)
21/25
Cipher Block Chaining (CBC) Contd.
( )
( )
1 2 3
1
The plaintext is broken into blocks: , , , ...
Each plaintext block is XORed chained with the previous
ciphertext block before encryption (hence the name):
Ei K i i
P P P
C C P-
=
( )
0
1
IV
Use an Initial Vector IV to start the process.Decryption : D ( )
Application : general block-oriented transmission.
i i K i
C
P C C-
=
=
-
7/27/2019 ACN 2013-2014 (4)
22/25
Cipher Block Chaining (CBC)
Encryption Decryption
C0 = IV P0 = D(K, C0) IV
Ci = E(K, Pi Ci-1) Pi = D(K, Ci) Ci-1
-
7/27/2019 ACN 2013-2014 (4)
23/25
Cipher Block Chaining (CBC)
-
7/27/2019 ACN 2013-2014 (4)
24/25
Advantages and Limitations of CBC
n So, repeated plaintext blocks are encrypted differently.n A ciphertext block depends on all blocks before it
n Any change to a block affects all following ciphertext blocks
NeedInitialization Vector (IV).
Which must be known to Sender & Receiver.
If sent in clear, attacker can change bits of first block, andchange IV to compensate.
Hence IV must either be a fixed value OR must be sentencrypted in ECB mode before rest of message.
-
7/27/2019 ACN 2013-2014 (4)
25/25
SHA-512
SHA-512 is the version of SHA with a 512-bit message digest.This version, like the others in the SHA family of algorithms, isbased on the Merkle-Damgard scheme..
