Professional Documents
Culture Documents
Session 12-13 Authentication
Session 12-13 Authentication
Network Security
P C Gupta
1
Contents
Message Authentication
• Message authentication and adversarial attacks
• Properties of cryptographic hash function
• Hash algorithms SHA, Whirlpool
• Message Authentication Code (MAC)
• Attacks on MAC
• MAC algorithms HMAC, CMAC
P C Gupta 2
Message Authentication
• Adversary can
a) alter content/sequence of message from Alice,
b) replay an old valid message of Alice,
c) send a fraudulent message posing as Alice.
• Encryption does not protect authenticity of a message.
– Adversary can alter ciphertext just to spoil the message.
• Bob needs mechanism to verify message integrity & its
origin.
• Message authentication refers to both the aspects
a) Integrity and b) Origin.
P C Gupta 3
Message Integrity
Hash function
Hash
Compare
function
Digest Digest
P C Gupta 4
Attacks on Message Integrity
Message h
h Compare
h
h Compare
K MAC MAC
P C Gupta 7
Cryptographic Hash Function
P C Gupta 8
Cryptographic Hash Function
P C Gupta 9
Cryptographic Hash Function
P C Gupta 10
Structure of Hash Function
Pad L
Message blocks
Block 1 Block 2 Block N L : Length of pad
Initialization f f f Digest
vector (IV)
P C Gupta 12
Whirlpool
P C Gupta 13
Message Authentication Code (MAC)
Keyed hash
function (h)
Keyed hash K
Compare
function (h)
K MAC MAC
P C Gupta 14
MAC Based on Block Ciphers
m1 m2 m3
Pad
IV
+ + +
K K K
MAC
Hash
function
K
Hash K
Compare
function
MAC MAC
P C Gupta 16
MAC Based on Iterated Hash Function
Prefixed IV H
key
K m m’
H m H’ m’ m
P C Gupta 17
MAC Based on Iterated Hash Function
Suffixed IV IV IV
key
m K m m’
Countermeasures
IV IV
Truncated
K m K m K
MAC
H H’ H m
P C Gupta 19
MAC Based on Iterated Hash Function
K m
h(Km)
IV
IV H
P C Gupta 20
HMAC
P C Gupta 21
HMAC
ipad Message m
K k1 m1 m2 mN
h
IV
opad
k2
h
IV
HMAC
P C Gupta 22
CMAC
• CMAC is CBC-MAC based on block cipher 3DES or AES.
• It has two additional sub-keys k1 and k2 derived from
cipher key K.
– Sub-keys k1 and k2 prevent message extension attack.
• If the message is
– multiple of block size, sub-key k1 is added to the last block.
– padded, sub-key k2 is added to the last block.
• Leftmost t bits of the encrypted output are used as MAC
of size t.
m1 m2 m3 m1 m2 m3
Pad
IV k1 IV k2
+ + + + + +
K K K K K K
MAC MAC
P C Gupta 23