Scribd
Upload
21 views34 pages

CH - 11 Integrity Auth

Chapter 11 discusses message integrity and authentication, defining key concepts such as cryptographic hash functions, message digests, and the Random Oracle Model. It highlights the importance of ensuring message integrity through methods like Modification Detection Codes (MDC) and Message Authentication Codes (MAC). The chapter also outlines the criteria for secure hash functions and the differences between various types of codes used for message verification.

Uploaded by

ouydyit
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
21 views34 pages

CH - 11 Integrity Auth

Chapter 11 discusses message integrity and authentication, defining key concepts such as cryptographic hash functions, message digests, and the Random Oracle Model. It highlights the importance of ensuring message integrity through methods like Modification Detection Codes (MDC) and Message Authentication Codes (MAC). The chapter also outlines the criteria for secure hash functions and the differences between various types of codes used for message verification.

Uploaded by

ouydyit
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 34

Chapter 11

Message Integrity
and
Message Authentication

11.1
Chapter 11
Objectives

❏ To define message integrity


❏ To define message authentication
❏ To define criteria for a cryptographic hash function
❏ To define the Random Oracle Model and its role in
evaluating the security of cryptographic hash
functions
❏ To distinguish between an MDC and a MAC
❏ To discuss some common MACs

11.2
11-1 MESSAGE INTEGRITY

The cryptography systems that we have studied so far


provide secrecy, or confidentiality, but not integrity.

However, there are occasions where we may not even


need secrecy but instead must have integrity.
Topics discussed in this section:
11.1 Document and Fingerprint
11.2 Message and Message Digest
11.3 Difference
11.4 Checking Integrity
11.5 Cryptographic Hash Function Criteria
11.3
11.1.1 Document and Fingerprint

One way to preserve the integrity of a document


is through the use of a fingerprint.

If Alice needs to be sure that the contents of her


document will not be changed, she can put her
fingerprint at the bottom of the document.

11.4
11.1.2 Message and Message Digest

The electronic equivalent of the document and


fingerprint pair is the message and digest pair.

Figure 11.1 Message and digest

11.5
11.1.3 Difference

The two pairs (document / fingerprint) and (message /


message digest) are similar, with some differences.
The document and fingerprint are physically linked
together.
The message and message digest can be unlinked
separately, and, most importantly, the message digest
needs to be safe from change.

Note
The message digest needs to be safe from change.

11.6
hash function

A hash function accepts


a variable size message M , as input
and produces a fixed-size output
referred to as a hash code h(M) or message Digest or
hash value.
y = h(M)
-it does not use a key.
-it is only a function of input message.
- assumed to be public

A change to any bit or bits in the message, results in


a change to the hash code.

11.7
Simple Hash Functions
 are several proposals for simple
functions
 based on XOR of message blocks

11.8
11.1.4 Checking Integrity

Figure 11.2 Checking integrity

11.9
11.1.5 Cryptographic Hash Function Criteria

A cryptographic hash function must satisfy three


criteria: preimage resistance,
second preimage resistance,
and collision resistance.
Figure 11.3 Criteria of a cryptographic hash function

11.10
11.1.5 Continued

Preimage Resistance

11.11
11.1.5 Continued

Example 11.1
Can we use a conventional lossless compression method such as
StuffIt as a cryptographic hash function?

Solution
We cannot. A lossless compression method creates a compressed
message that is reversible.

Example 11.2
Can we use a checksum function as a cryptographic hash
function?
Solution
We cannot. A checksum function is not preimage resistant, Eve
may find several messages whose checksum matches the given
one.
11.12
11.1.5 Second Preimage Resistance
Ensures that a message can not easily be forged

11.13 Figure 11.5 Second preimage


11.1.5 Continued

Collision Resistance

Figure 11.6 Collision


11.14
11-2 RANDOM ORACLE MODEL
The Random Oracle Model, which was introduced in
1993 by Bellare and Rogaway, is an ideal mathematical
model for a hash function.

A random oracle is a mathematical function mapping

every possible query to a random response from its

outputdiscussed
Topics domain. in this section:
11.2.1 Pigeonhole Principle
11.2.2 Birthday Problems
11.2.3 Attacks on Random Oracle Model
11.2.4 Attacks on the Structure

11.15
11-2 Continued
Example 11.3

Assume an oracle with a table. The table has two columns.

The message AB1234CD8765BDAD is given for digest calculation.


The oracle checks its table. The oracle flips the coin16 times. And
the result is HHTH… = 1101…
Where Head H=1 and Tail T=0
11.16
11-2 Continued
Example 11.3 Continued

b. The message 4523AB1352CDEF45126 is given for digest


calculation. The oracle checks its table and finds that there is a digest
for this message in the table (first row). The oracle simply gives the
corresponding digest (13AB).

11.17
11-2 Continued
Example 11.4

The oracle in Example 11.3 cannot use a formula or algorithm to


create the digest for a message. For example, imagine the oracle
uses the formula h(M) = M mod n. Now suppose that the oracle
has already given h(M1) and h(M2). If a new message is presented
as M3 = M1 + M2, the oracle does not have to calculate the h(M3).
The new digest is just [h(M1) + h(M2)] mod n since

This violates the third requirement that each digest must be


randomly chosen based on the message given to the oracle.

11.18
11.2.1 Pigeonhole Principle

If n pigeonholes are occupied by n + 1 pigeons, then at


least one pigeonhole is occupied by two pigeons. The
generalized version of the pigeonhole principle is that if n
pigeonholes are occupied by kn + 1 pigeons, then at least
one pigeonhole is occupied by k + 1 pigeons.

11.19
birthday problem

What is the minimum value of k such that the


probability is >= 0.5 that at least 2 people in a
group of k people have the same birthday ?

i.e. find the smallest value of k


s.t. P(365,k)>=0.5
Solution:
K= = 1.18
for n = 365
K= 1.18 x √365 = 22.54 ≈ 23

11.20
11.2.2 Continued

Comparison
Figure 11.8 Graph of four birthday problem

11.21
11.2.3 Continued
Example 11.6
A cryptographic hash function uses a digest of 64 bits. How many
digests does Eve need to create to find the original message with
the probability more than 0.5?

Solution
The number of digests to be created is k ≈ 0.69 × 2n ≈ 0.69 × 264.
This is a large number. Even if Eve can create 230 (almost one
billion) messages per second, it takes 0.69 × 234 seconds or more
than 500 years. This means that a message digest of size 64 bits is
secure with respect to preimage attack, but, as we will see shortly,
is not secured to collision attack.

11.22
11.2.3 Continued
Example 11.7
A cryptographic hash function uses a digest of 64 bits. How many
digests does Eve need to create to find two messages with the same
digest with the probability more than 0.5?

Solution
The number of digests to be created is k ≈ 1.18 × 2 n/2 ≈ 1.18 × 232.
If Eve can test 220 (almost one million) messages per second, it
takes 1.18 × 212 seconds, or less than two hours. This means that a
message digest of size 64 bits is not secure against the collision
attack.

11.23
11-3 MESSAGE AUTHENTICATION

A message digest does not authenticate the sender of


the message. To provide message authentication, Alice
needs to provide proof that it is Alice sending the
message and not an impostor.

The digest created by a cryptographic hash function is


normally called a modification detection code (MDC).

What we need for message authentication is a message


authentication code (MAC).

11.24
11.3.1 Modification Detection Code (MDC)

A modification detection code (MDC) is a message digest


that can prove the integrity of the message: that message
has not been changed.

If Alice needs to send a message to Bob and be sure that


the message will not change during transmission, Alice
can create a message digest, MDC, and send both the
message and the MDC to Bob.

Bob can create a new MDC from the message and


compare the received MDC and the new MDC. If they are
the same, the message has not been changed.
11.25
11.3.1 Continued

Figure 11.9 Modification detection code (MDC)

11.26
11.3.2 Message Authentication Code (MAC)
MAC includes a shared secret key.

Figure 11.10 Message authentication code

11.27
11.3.2 Continued

Note
The security of a MAC depends on the security of
the underlying hash algorithm.

11.28
11.3.2 Continued

Nested MAC
Figure 11.11 Nested MAC

11.29
HMAC

Figure 11.12
Details of
Hashed MAC

Keyed Hash Message


Authentication Code

11.30
HMAC uses the following parameters:

B Block size (in bytes) of the input to the Approved


hash function.
H An Approved hash function.
ipad Inner pad; the byte x ’36’ repeated B times.
K Secret key shared between the originator and the
intended receiver(s).
L Block size (in bytes) of the output of the Approved
hash function.
opad Outer pad; the byte x’5c’ repeated B times.
t The number of bytes of MAC.
|| Concatenation
Å Exclusive-Or operation
11.31
11.32
11.33
11.3.2 CMAC or CBCMAC
Figure 11.13 CMAC

11.34

You might also like