453 network security section 3a: message authentication and public-key cryptography dr. e.c....

453 Network Security453 Network Security

Section 3a: Message Authentication and Public-Key Cryptography

Dr. E.C. Kulasekere

Sri Lanka Institute of Information Technology - 2006

OutlineOutline

• Message authentication vs. message confidentiality. Both required?

• Authentication methods– Hash functions– Secure hash function– Message authentication code (MAC)

• Public-key cryptography principles.• Public-key cryptography algorithms.• Digital signatures / implementation. • Key management techniques.

Cryptography and SecurityCryptography and Security

Intruders, eavesdroppers and masqueraders in communication. A threat on message confidentiality and authentication

Confidentiality Vs. Authentication (1)Confidentiality Vs. Authentication (1)

• Confidentiality safeguards your information from being viewed by others.

• This is protecting message content. Stop interception.

• Authentication verifies the integrity of data as well as verifying the sender.

• This can stop fabrication/Modification

Confidentiality Vs. Authentication (2)Confidentiality Vs. Authentication (2)

• Authentication is arguably more important that message confidentiality (secrecy) in eCommerce applications.

• Generically encryption protects against passive attacks such as eavesdropping.

• Authentication provides protection against active attacks such as falsification and fabrication of data.

Authentication Without Confidentiality Authentication Without Confidentiality

• Is it desirable only to have authentication while ignoring message confidentiality?

• Example situation; civilian email versus military email.

• There are applications in which the same message is broadcast to a number of destinations. The content need not be secret but they need to be authenticated. Eg. ?

Example SituationsExample Situations

• Another scenario is if a system is handling a heavy load of messages and it cannot afford to spend time decrypting. The system will selectively decrypt to authenticate.

• Authentication of computer programs etc. Each time you use it its easier to authenticate a tag rather than go through a decryption program every time.

Primary Concerns of Authentication (1)Primary Concerns of Authentication (1)

• Message came from apparent source or author – Source Authentication

• Contents have not been altered – Message Authentication

• Message timeliness or the sequence in which it was sent is not disturbed (it has not been artificially delayed or replayed).

Primary Concerns of Authentication (2)Primary Concerns of Authentication (2)

• The above will be based on attacks such as – Disclosure– Traffic analysis– Masquerading– Fabrication– Sequence and timing modifications

Approaches to Message Authentication

Approaches to Message Authentication

• Broadly categorized into two methods, ones that uses encryption and ones that do not.

• Approaches– One that uses a key and encryption of

message– One that does not use a key.– One that uses a key but no encryption of the

message

Authentication CategoriesAuthentication Categories

• Authentication using conventional encryption: Only the sender and receiver should share a key which will provide the necessary authentication.

• Message authentication without message encryption: An authentication tag is generated and attached to the message. Message confidentiality is not guaranteed since the message is not encrypted.

• Message Authentication code: Calculate the MAC as a function of the message and the key.

Authentication Based on Message Encryption

Authentication Based on Message Encryption

• message encryption by itself also provides a measure of authentication. The analysis differs for symmetric and asymmetric encryption schemes.

• if symmetric encryption is used then:– receiver know sender must have created it– since only sender and receiver now key used– know content cannot of been altered– if message has suitable structure, redundancy

or a checksum to detect any changes

Authentication Based on Message Encryption …


Symmetric encryption: confidentiality and authentication provided



• if public-key encryption is used:– encryption provides confidentiality but not

authentication of sender– since anyone potentially knows public-key– however if

• sender signs message using their private-key• then encrypts with recipients public key• have both secrecy and authentication

– again need to recognize corrupted messages• Measure of error control can be used.

– but at cost of two public-key used on message



• This is the straightforward use of public key encryption. Source A uses the public key KUb of the destination to encrypt M

• This scheme does not provide any authentication because any opponent could also use B’s public key to encrypt a message claiming to be A

• B can decrypt at the destination because he is the only one who has the private key KRb



• To provide the authentication part A uses its private key to encrypt the message, and B uses A’s public key to decrypt to authenticate.

• The principle here is similar to the digital signature principle.

• The reasoning is that A should be the only one who as A’s private key to generate that ciphered text.

• However this does not provide confidentiality since anyone with A’s public key can decrypt and see the message.



• To provide both confidentiality and authentication, A can encrypt M first using its private key (the digital signature), then use B’s public key which will provide confidentiality.

• The only disadvantage is that the public key algorithm, which is complex must be exercises four times rather than two in each communication.

Authentication Based on Message Authentication Code (MAC)

Authentication Based on Message Authentication Code (MAC)

• generated by an algorithm that creates a small fixed-sized block– depending on both message and some key– like encryption though need not be reversible

• receiver performs same computation on message and checks it matches the MAC. (Note that the MAC is not decoded hence cannot be used for anything).

• provides assurance that message is unaltered and comes from sender

MAC ImplementationMAC Implementation

Requirements for MACRequirements for MAC

• Take into account the type of attacks– Brute force attack may not be feasible to

attack MAC code.– See MAC write-up for reasons

• Need a MAC to satisfy the following– knowing a message and MAC, is infeasible

to find another message with same MAC– MACs should be uniformly distributed.– MAC should depend equally on all bits of the

message.

Features of MACFeatures of MAC• As shown the MAC provides confidentiality.

• The receiver is assured that the message is not altered.

• The attacker cannot alter the message without altering the MAC.

• Since the secret key is not known MAC cannot be altered and will be found out at matching at receiver.

• As a result the receiver is assured that it came from the sender.

Features of MAC …Features of MAC …

• can also use encryption for secrecy– generally use separate keys for each– can compute MAC either before or after

encryption– is generally regarded as better done before

• The message sequence number is also coded into the MAC, hence replay attacks and timing attacks are also not possible.

Features of MAC …Features of MAC …

• why use a MAC?– sometimes only authentication is needed– sometimes need authentication to persist

longer than the encryption (eg. archival use)

• Note that MAC is not a digital signature, rather a cryptographic checksum.

MAC ImplementationsMessage AuthenticationMAC Implementations

Message Authentication

MAC ImplementationsMessage Authentication and

Confidentiality: Authentication Tied to plaintext


Confidentiality: Authentication Tied to plaintext


Confidentiality: Authentication Tied to ciphertext


Confidentiality: Authentication Tied to ciphertext

MAC Based on DESMAC Based on DES

1. Based on CBC with IV set to zero

2. Block size is 64. The last block may be padded with zeros to make a 64-bit block

3. The data authentication code (DAC) consists of all O_N blocks or the last one. It can also be the left most M bits of the last block too. Remember that the MAC need not be reversible as in the case of encryption. We need to compare only.

Authentication Based on Hash (1)Authentication Based on Hash (1)

• Variation of MAC known as one way hash functions can be used for authentication.

• Unlike the MAC, the hash function does not require a secret key.

• The Hash function accepts a variable size message and outputs a fixed size message digest H(M).

Authentication Based on Hash (2)Authentication Based on Hash (2)• To authenticate a message, the message

digest is sent with the message in such a way that the message digest is authentic.

• hash used to detect changes to message• can use in various ways with message

– Using conventional encryption– Using public-key encryption– Using secret value

• Hash function itself is not considered to be secret. Hence systems described in the previous slides or the ones that follow have to be used to protect the hash.

• Based on the assumption that only the sender and receiver have the secret key.

• Hence authenticity is assured.• The entire message is not encrypted.

One way Hash Authentication using Conventional Encryption

One way Hash Authentication using Conventional Encryption

One-Way Hash Function AuthenticationUsing Public-Key Encryption

One-Way Hash Function AuthenticationUsing Public-Key Encryption

• This will provide a digital signature as well as message authentication.

• Advantage is that it does not require the distribution of keys to communicating parties.

• The entire message is not encrypted.

One-Way Hash Function AuthenticationUsing Secret Value

One-Way Hash Function AuthenticationUsing Secret Value

• No encryption for message authentication.• The communicating parties share a common secret value that

is coded into the message.• Since the secret value itself is not sent, it is hard for the

attacker to modify the intercepted message. • Authentication is provided but no confidentiality is provided.

Variants of Hash Functions:Encrypt Message Plus Hash Code

Variants of Hash Functions:Encrypt Message Plus Hash Code

• Both message and hash code encrypted.• The message must have come from A if it is not altered (checked

using hash) since only A and B have access to the secret key.• Confidentiality is provided since the encryption is applied to

both hash + normal message.

Variants of Hash Functions:Encrypted Hash Code – Shared Key

Variants of Hash Functions:Encrypted Hash Code – Shared Key

• Only hash code is encrypted using symmetric encryption.• Authentication is provided but not confidentiality.• Reduces processing burden for applications that do not

require confidentiality.

Variants of Hash :Encrypt Hash Code Sender’s private key

Variants of Hash :Encrypt Hash Code Sender’s private key

• Only hash code is encrypted using the senders private key with public-key encryption.

• Authentication is provided but not confidentiality.• Provides a digital signature.

Variants of Hash Functions:Encrypt Results of (c) – Shared secret key

Variants of Hash Functions:Encrypt Results of (c) – Shared secret key

• Message and the public-key encrypted hash code is encrypted using symmetric key.

• Confidentiality and digital signature is provided.

Variants of Hash Functions:Compute Hash Code of Message Plus

Secret Value

Variants of Hash Functions:Compute Hash Code of Message Plus

Secret Value

• Assumes parties communicating have the secret value.• No encryption.• Source A computes the hash code over the concatenation of M

and S and appends the result to M.• Authentication is provided.

Variants of Hash Functions:Encrypt Result of (e)

Variants of Hash Functions:Encrypt Result of (e)

• Confidentiality is added to the approach in (e) using symmetric key encryption.

SummarySummary

453 network security section 3a: message authentication and public-key cryptography dr. e.c....

Documents

authentication tag

outlinemessage authentication

measure of authentication

necessary authentication

message content

message authenticationbroadly

conventional encryption

encryption of messageone