information security principles & applications topic 4: message authentication 虞慧群...

Information SecurityPrinciples & Applications

Topic 4: Message Authentication

虞慧群 yhq@ecust.edu.cn

Authentication

Requirements - must be able to verify that: Message came from its alleged source or author, Contents have not been altered, Sometimes, it was sent at a certain time or sequence.

Protection against active attack (falsification of data and transactions)

Two levels for message authentication mechanism Lower level: authenticator – a value to be used to authenticate

a message Higher level: an authentication protocol that enables a receiver

to verify the authenticity of the message

Approaches to Message Authentication

Authentication Using Conventional Encryption Only the sender and receiver should share a key

Message Authentication without Message Encryption An authentication tag is generated and appended to each

message Two ways

Message Authentication Code (MAC) Hash function (or message digest)

Message Authentication Code

generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible

appended to message as a signature receiver performs same computation on

message and checks it matches the MAC provides assurance that message is

unaltered and comes from sender

Message Authentication Code

Calculate the MAC as a function of the message and the key, i.e. MAC = FK(M)

MAC Properties

a MAC is a cryptographic checksumMAC = FK(M)

condenses a variable-length message M using a secret key K to a fixed-sized authenticator

is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult

Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following:

1. knowing a message and MAC, is infeasible to find another message with same MAC

2. MACs should be uniformly distributed3. MAC should depend equally on all bits of the

message Approaches to constructing MACs

Using DES HMAC

Hash Functions

condenses arbitrary message to fixed size usually assume that the hash function is

public and not keyed cf. MAC which is keyed

hash used to detect changes to message can use in various ways with message most often to create a digital signature

Authentication UsingAuthentication Using H Hashash

Secret value is added before the hash and removed before transmission.

Authentication Using HashAuthentication Using Hash

Hash Function Properties

a Hash Function produces a fingerprint of some file/message/data

h = H(M) condenses a variable-length message M to a fixed-sized fingerprint

Hash function assumed to be public

Requirements for Hash Functions

1. can be applied to any sized message M

2. produces fixed-length output h

3. is easy to compute h=H(M) for any message M

4. given h is infeasible to find x s.t. H(x)=h• one-way property

5. given x is infeasible to find y s.t. H(y)=H(x)• weak collision resistance

6. is infeasible to find any x,y s.t. H(y)=H(x)• strong collision resistance

Secure Hash Functions and HMAC

Secure Hash Functions Secure Hash Algorithm (SHA-1)

NIST standard (FIPS 180-1), issued in 1995 Input: message length (<264); Output: 160-bit MD

MD5 RIPEMD-160

HMAC Developing a MAC derived from a cryptographic hash

code, such as SHA-1. Used in IP security, Transport Layer Security (TLS) and

Secure Electronic Transaction (SET).

Authentication Applications

will consider authentication functions developed to support application-level

authentication & digital signatures will consider Kerberos – a private-key

authentication service then X.509 directory authentication service

KERBEROS

In Greek mythology, a many headed dog, the guardian of the entrance of Hades

KERBEROS

Users wish to access services on servers. Three threats exist:

User pretends to be another user. User alters the network address of a workstation. User eavesdrops on exchanges and uses a

replay attack.

KERBEROS

Provides a centralized authentication server to authenticate users to servers and servers to users.

Relies on conventional encryption, making no use of public-key encryption

Two versions: version 4 and 5 Version 4 makes use of DES

Kerberos Version 4

Terms: C = Client AS = authentication server V = server IDc = identifier of user on C IDv = identifier of V Pc = password of user on C ADc = network address of C Kv = secret encryption key shared by AS and V TS = timestamp || = concatenation

A Simple Authentication Dialogue

(1) C AS: IDc || Pc || IDv

(2) AS C: Ticket

(3) C V: IDc || Ticket

Ticket = EKv[IDc || ADc || IDv]

Two problems The number of times a user has to enter a password Plaintext transmission of the password

The Idea towards Solution

Introducing a ticket-granting server (TGS) The user first requests a ticket-granting ticket

(Tickettgs) from the AS; The user then authenticates itself to TGS for a

ticket (Ticketv) for accessing new service; The user finally authenticate itself to V for

requesting a particular service.

Kerberos Version 4 Authentication Dialogue

Kerberos Version 4 Authentication Dialogue

Kerberos Version 4 Authentication Dialogue

Overview of Kerberos

Request for Service in Another Realm

Difference Between Version 4 and 5

Encryption system dependence (V.4 DES) Internet protocol dependence Message byte ordering Ticket lifetime Authentication forwarding Interrealm authentication

Kerberos Encryption Techniques

PCBC Mode

Kerberos - in practice Currently have two Kerberos versions:

4 : restricted to a single realm 5 : allows inter-realm authentication, in beta test Kerberos v5 is an Internet standard specified in RFC1510, and used by many utilities

To use Kerberos: need to have a KDC on your network need to have Kerberised applications running on all participating

systems major problem - US export restrictions Kerberos cannot be directly distributed outside the US in source format

(& binary versions must obscure crypto routine entry points and have no encryption)

else crypto libraries must be reimplemented locally

X.509 Authentication Service Distributed set of servers that maintains a database

about users. Each certificate contains the public key of a user and

is signed with the private key of a CA. Is used in S/MIME, IP Security, SSL/TLS and SET. RSA is recommended to use.

X.509 Formats

Obtaining a User’s Certificate

Characteristics of certificates generated by CA: Any user with access to the public key of the CA

can recover the user public key that was certified. No part other than the CA can modify the

certificate without this being detected.

X.509 CA Hierarchy

Revocation of Certificates

Reasons for revocation: The users secret key is assumed to be

compromised. The user is no longer certified by this CA. The CA’s certificate is assumed to be

compromised.

Authentication Procedures

Summary

have considered: message authentication using

message encryptionMACshash functions

Kerberos X.509 Authentication Service

A Quiz

In a public-key system using RSA, you intercept the ciphertext C = 10 sent to a user whose public key e = 5, n = 35. What is the plaintext M?