第12章 Hash和MAC算法.ppt

《第12章 Hash和MAC算法.ppt》由会员分享，可在线阅读，更多相关《第12章 Hash和MAC算法.ppt（34页珍藏版）》请在得力文库 - 分享文档赚钱的网站上搜索。

1、第12章 消息认证码,Message Authentication,message authentication is concerned with protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution)will consider the security requirementsthen three alternative functions usedmessage encryptionhash function

2、message authentication code (MAC),Security Requirements,disclosuretraffic analysismasqueradecontent modificationsequence modificationtiming modificationsource repudiationdestination repudiation,Symmetric Message Encryption,encryption can also provides authenticationif symmetric encryption is used th

3、en:receiver know sender must have created it, since only sender and receiver know key usedknow content cannot have been altered, if message has suitable structure, redundancy or a checksum to detect any changes,Public-Key Message Encryption,if public-key encryption is used:encryption provides no con

4、fidence of sendersince anyone potentially knows public-keyhowever if sender signs message using their private-keythen encrypts with recipients public keyhave both secrecy and authenticationagain need to recognize corrupted messagesbut at cost of two public-key uses on message,Hash and MAC Algorithms

5、,Hash Functionscondense arbitrary size message to fixed sizeby processing message in blocksthrough some compression functioneither custom or block cipher basedMessage Authentication Code (MAC)fixed sized authenticator for some messageto provide authentication for messageby using block cipher mode or

6、 hash function,Message Authentication Code (MAC),generated by an algorithm that creates a small fixed-sized blockdepending on both message and some keylike encryption though need not be reversibleappended to message as a signaturereceiver performs same computation on message and checks it matches th

7、e MACprovides assurance that message is unaltered and comes from sender,Message Authentication Code,a small fixed-sized block of datagenerated from message + secret keyMAC = C(K, M)appended to message when sent,Message Authentication Codes,as shown the MAC provides authenticationcan also use encrypt

8、ion for secrecygenerally use separate keys for eachcan compute MAC either before or after encryptionis generally regarded as better done beforewhy use a MAC?sometimes only authentication is needed (e.g., SNMP)sometimes need authentication to persist longer than the encryption (eg. archival use)note

9、that a MAC is not a digital signature,MAC Properties,a MAC is a cryptographic checksumMAC = CK(M)condenses a variable-length message Musing a secret key Kto a fixed-sized authenticatoris a many-to-one functionpotentially many messages have same MACbut finding these needs to be very difficult,Require

10、ments for MACs,taking into account the types of attacksneed the MAC to satisfy the following:knowing a message and MAC, is infeasible to find another message with same MACMACs should be uniformly distributedMAC should depend equally on all bits of the message,Security of MACs,like block ciphers have

11、:brute-force attacks exploitingstrong collision resistance hash have cost 2m/2 128-bit hash looks vulnerable, 160-bits betterMACs with known message-MAC pairscan either attack keyspace (cf key search) or MACat least 128-bit MAC is needed for security,Security of MACs,cryptanalytic attacks exploit st

12、ructurelike block ciphers want brute-force attacks to be the best alternativemore variety of MACs so harder to generalize about cryptanalysis,Keyed Hash Functions as MACs,want a MAC based on a hash function because hash functions are generally fastercode for crypto hash functions widely availablehas

13、h includes a key along with messageoriginal proposal:KeyedHash = Hash(Key|Message) some weaknesses were found with this eventually led to development of HMAC,Problem with Keyed Hash,KeyedHash = Hash(Key|Message) Recall hash function works on blocksLet M = Key | Message | Padding and M M=M1 M2 ML, wh

14、ere |Mi| = Blocksize Hash=H(H(H(H(IV,M1),M2),ML)But can add extra block(s) ML+1 by Hash=H(Hash,ML+1)Unless formatting prevents it but still best to use HMAC!,HMAC Design Objectives,use, without modifications, hash functionsallow for easy replaceability of embedded hash functionpreserve original perf

15、ormance of hash function without significant degradationuse and handle keys in a simple way.have well understood cryptographic analysis of authentication mechanism strength,HMAC,specified as Internet standard RFC2104 uses hash function on the message:HMACK = Hash(K+ XOR opad) | Hash(K+ XOR ipad)|M)w

16、here K+ is the key padded out to size opad(=ox36), ipad(=0x5c) are specified padding constants overhead is just 3 more hash calculations than the message needs aloneany hash function can be usedeg. MD5, SHA-1, RIPEMD-160, Whirlpool,HMAC Overview,HMAC Security,proved security of HMAC relates to that

17、of the underlying hash algorithmattacking HMAC requires either:brute force attack on key usedbirthday attack (but since keyed would need to observe a very large number of messages)choose hash function used based on speed verses security constraints,Using Symmetric Ciphers for MACs,can use any block

18、cipher chaining mode and use final block as a MACData Authentication Algorithm (DAA) is a widely used MAC based on DES-CBCusing IV=0 and zero-pad of final blockencrypt message using DES in CBC modeand send just the final block as the MACor the leftmost M bits (16M64) of final blockbut final MAC is n

19、ow too small for security can use message blocks in reverse order,Data Authentication Algorithm,最左边,CMAC,previously saw the DAA (CBC-MAC)widely used in govt & industrybut has message size limitationcan overcome using 2 keys & paddingthus forming the Cipher-based Message Authentication Code (CMAC)AES

20、3DESadopted by NIST SP800-38B,CMAC Overview,常数1,常数2,Authenticated Encryption,simultaneously protect confidentiality and authenticity of communicationsoften required but usually separateapproachesHash-then-encrypt: E(K, (M | H(M)MAC-then-encrypt: E(K2, (M | MAC(K1, M) Encrypt-then-MAC: (C=E(K2, M), T

21、=MAC(K1, C) Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M) decryption /verification straightforwardbut security vulnerabilities with all these,Counter with Cipher Block Chaining-Message Authentication Code (CCM),NIST standard SP 800-38C for WiFi variation of encrypt-and-MAC approach algorithmic ingredie

22、nts AES encryption algorithmCTR mode of operationCMAC authentication algorithmsingle key used for both encryption & MAC,CCM Operation,临时量,明文数据,相关数据,Galois/Counter Mode (GCM),NIST standard SP 800-38D, parallelizablemessage is encrypted in variant of CTRciphertext multiplied with key & length over in

23、(2128) to generate authenticator taghave GMAC MAC-only mode alsouses two functionsGHASH - a keyed hash functionGCTR - CTR mode with incremented counter,GCM Functions,GCM Functions,GCM Mode Overview,Pseudorandom Number Generation (PRNG) Using Hash Functions and MACs,essential elements of PRNG are see

24、d valuedeterministic algorithm seed must be known only as neededcan base PRNG onencryption algorithm (Chs 7 & 10)hash function (ISO18031 & NIST SP 800-90)MAC (NIST SP 800-90),randomness,PRNG using a Hash Function,hash PRNG from SP800-90 and ISO18031take seed Vrepeatedly add 1hash Vuse n-bits of hash

25、 as random valuesecure if good hash used,PRNG using a MAC,MAC PRNGs in SP800-90, IEEE 802.11i, TLSuse keyinput based on last hash in various ways,Summary,have consideredmessage authentication requirementsmessage authentication using encryptionMACsHMAC authentication using a hash functionCMAC authentication using a block cipherAuthentication encryption: CCM, GCMPseudorandom Number Generation (PRNG) using Hash Functions and MACs,