Session 12, 13

Network Security

P C Gupta

1
 Contents

 Message Authentication
• Message authentication and adversarial attacks
• Properties of cryptographic hash function
• Hash algorithms SHA, Whirlpool
• Message Authentication Code (MAC)
• Attacks on MAC
• MAC algorithms HMAC, CMAC

P C Gupta 2
 Message Authentication

Alter content/sequence Replay Send fraudulent message

• Adversary can
a) alter content/sequence of message from Alice,
b) replay an old valid message of Alice,
c) send a fraudulent message posing as Alice.
• Encryption does not protect authenticity of a message.
– Adversary can alter ciphertext just to spoil the message.
• Bob needs mechanism to verify message integrity & its
origin.
• Message authentication refers to both the aspects
a) Integrity and b) Origin.
P C Gupta 3
 Message Integrity
Hash function

Hash
Compare
function
Digest Digest

• Integrity of a message refers to its content.

• As a integrity check, the sender attaches a cryptographic
digest of the message to it.
• The receiver re-computes the digest and compares it
with the received digest.
– If the received digest is different, it implies that the
message has been altered.
– We assume that the digest itself cannot be substituted or
altered.

P C Gupta 4
 Attacks on Message Integrity
Message h

h Compare

a) Adversary needs to find an alternative message having

same digest and substitute the original message.
– Hash function (h) is so designed that it is infeasible to
find an alternative message having the same digest.
b) He may replay an old message with its digest.
– As a countermeasure, time, or sequence number is
appended to the message before computing its digest.
– Bob accepts the message after verifying these
parameters and the digest

Message Sequence number,

Digest time stamp, etc.
h
P C Gupta 5
 Attacks on Message Integrity
K
Message

h
h Compare
K MAC MAC

c) Hash function used for computing the digest is not a

secret. The adversary can
– create a fraudulent message, computes its digest and
– substitute both the original message and the digest.
• This attempt is countered by introducing another security
measure, keyed hash function.
– Hash function requires a secret key known to Alice & Bob.
The digest is called MAC (Message Authentication Code).
– Adversary cannot create a fraudulent message with MAC.
 We examine MAC later.
P C Gupta 6
 Cryptographic Hash Function

• Cryptographic hash function h maps a variable-size

message m to a fixed length digest h(m).
• For illustration, assume h(m) is modulo 2 addition.
m
00000110
10011001
01010011
h
10010110
h(m) 01011010

– The digest h(m) is 8-bit long for any size of message m.

– There are 28 = 256 possible digests in all.
• There can be several messages having same digest.
– If message has N bits & digest has n bits, (N>n), there
can b 2N/2n different messages that generate the same
digest.

P C Gupta 7
 Cryptographic Hash Function

• Possibility of having multiple messages with same digest

can create problems.
• Alice, Bob or the adversary, may replace the original
message with a fraudulent message having the same
digest.
a) Alice generates two different messages (m, x) having the
same digest. She sends m to Bob and uses x later to deny
the first message m.
b) The adversary replaces the original message with its
fraudulent message having the same digest.
c) Bob replaces the original message (m) from Alice with
another message (x) having the same digest and claims
that Alice sent the message (x).

P C Gupta 8
 Cryptographic Hash Function

Encrypted Computes digest

digest (d) of message
Finds alternative
message having digest d

• Encrypting the digest does not provide protection.

Adversary can
– compute digest of the original message, then
– find alternative message with same digest, and then
– replace the original message with the alternative message
retaining the encrypted digest of the original message.
• To thwart all such possible attacks, the hash function is
carefully designed.

P C Gupta 9
 Cryptographic Hash Function

Properties of Cryptographic Hash Function h(x)

a) Compression.
– h(x) can take input x of variable size but it should produce
a fixed-length output.
b) One way (Pre-image resistant).
– For any given hash value y, it is infeasible to find any
input x (called pre-image) such that h(x) = y.
c) Weak collision resistant (2nd Pre-image resistant).
– For a given input x, it is computationally infeasible to find
another input x such that h(x) = h(x).
d) Strong collision resistant.
– It is infeasible to find any two distinct inputs x and x such
that h(x) = h(x).

P C Gupta 10
 Structure of Hash Function

Pad L
Message blocks
Block 1 Block 2 Block N L : Length of pad

Initialization f f f Digest
vector (IV)

• Cryptographically secure hash function is an iterative

process. Its structure was proposed by Merkel.
• Message partitioned into a series of blocks & compressed
block by block using a compression function f.
• The iterated hash function can be
a) Customized hash function. E.g.
 Secure Hash Algorithm (SHA), MD5.
b) Based on block cipher. E.g.
 Whirlpool hash algorithm based on block cipher W.
P C Gupta 11
 Secure Hash Algorithm (SHA)

• SHA follows Merkle’s structure.

• There are four versions of the algorithm today,
– SHA-1, SHA-256, SHA-364 and SHA-512.
– These versions are similar in structure, except that they
produce digests of lengths 160, 256, 384 and 512 bits.
– Security column indicates number of messages required
to be produced to have likelihood of having two
messages with the same digest value.

Algorithm Message size Block size Digest size Security

(Bits) (Bits) (Bits)
SHA-1 < 264 512 160 280
SHA-256 <264 512 256 2128
SHA-384 < 2128 1024 384 2192
SHA-512 < 2128 1024 512 2256

P C Gupta 12
 Whirlpool

512 bits 512 bits

Block 1 Block i Block N
m m
Initialization vector K c K c h
W + W +
(IV)

• Whirlpool is an iterated hash function based on

Miyaguchi-Preneel scheme.
• It generates digest of 512 bits.
• It is based on block cipher W (modified AES) with
– block size and cipher key size of 512 bits,
– all 0s IV for the first iteration.

P C Gupta 13
 Message Authentication Code (MAC)

• SHA and Whirlpool are un-keyed hash algorithms. These

algorithms are used for message integrity.
• Keyed hash function provide data-origin authentication
in addition to message integrity.

Keyed hash
function (h)

Keyed hash K
Compare
function (h)
K MAC MAC

• There are two classes of MAC algorithms:

– MAC algorithms based on block ciphers.
– MAC algorithms based on iterated hash function.

P C Gupta 14
 MAC Based on Block Ciphers

m1 m2 m3
Pad
IV
+ + +
K K K

MAC

• Block cipher based MAC uses CBC mode of operation

and is referred to as CBC-MAC.
• The block cipher can be DES, triple DES or AES.
• The chaining mechanism makes each encrypted output
function of previous blocks.
• The initialization vector (IV) is all zeros.
• The last encrypted output constitutes MAC. It may be
truncated to the required size of MAC.
P C Gupta 15
 MAC Based on Iterated Hash Function

Hash
function
K 

Hash K
Compare
function
MAC MAC

• MAC can be constructed using iterated hash function

(e.g. SHA).
• Alice prefixes or suffixes the secret key to the message
and computes hash using iterated hash function.
• She sends the message with the MAC to Bob.
– The key is not sent with the message.
• Bob verifies the MAC using the secret key.

P C Gupta 16
 MAC Based on Iterated Hash Function

Adversarial Attacks (Prefixed key MAC)

Prefixed IV H
key
K m m’

H m H’ m’ m

a) Message Extension Attack

• The adversary can modify the original message m
having MAC value H by attaching fraudulent m’ to it.
He re-computes new MAC value H’.
 The key K is not required for this operation.
m’)

• The receiver will find concatenated message (m
in order.

P C Gupta 17
 MAC Based on Iterated Hash Function

Adversarial Attacks (Suffixed key)

Suffixed IV IV IV
key
m K m m’

H m h(m) h(m) =h(m’) h(m’)

H m’
b) Message Replacement Attack
• The adversary can replace the original message m with
a fraudulent m’. The original MAC value H remains
same.
a) He finds m’ such that h(m) = h(m’).
 It is however difficult to find such message.
b) He attaches original H to m’.
 The key K is not required for this entire operation.
P C Gupta 18
 MAC Based on Iterated Hash Function

Countermeasures
IV IV
Truncated
K m K m K
MAC

H H’ H m

• To prevent these adversarial attacks, alternatives are:

a) Send truncated hash as the MAC to prevent message
extension attack.
 The adversary cannot compute hash of the extended
message with the truncated MAC.
b) Concatenate the key at both the ends of the message.
 Prefixed key prevents message replacement attack.
 Suffixed key prevents extension of the message.

P C Gupta 19
 MAC Based on Iterated Hash Function

K m

h(Km)

IV

IV H

c) Use hash function twice with key prefixed h[Kh(Km)].

 Inner prefixed key prevents message replacement
attack.
 The outer prefixed key makes it infeasible to extend
the message.
HMAC standard is based on this scheme.

P C Gupta 20
 HMAC

• HMAC is a MAC standard based on SHA.

• It is used in the IPsec, SSL/TLS protocols and several
other applications.
• HMAC as a hash function can be expressed as
HMAC = h[k2h(k1m)]
– m is the message of blocks having size of b bits.
– h is SHA hash algorithm.
• k1 and k2 are derived from key K using ipad and opad.
k1 = K  ipad, ipad = 036 36 36 … 36 (Hexadecimal)
k2 = K  opad, opad = 05c 5c 5c … 5c (Hexadecimal)
• Size of k1 and k2 is made equal to the message block
size b by padding with zeros.

P C Gupta 21
 HMAC

ipad Message m

K k1 m1 m2    mN

h
IV
opad

k2

h
IV

HMAC

• HMAC is as secure as the hash function (SHA) from

the collision resistance angle.
• Being a nested function, prefixing or suffixing
additional message block is not possible.

P C Gupta 22
 CMAC
• CMAC is CBC-MAC based on block cipher 3DES or AES.
• It has two additional sub-keys k1 and k2 derived from
cipher key K.
– Sub-keys k1 and k2 prevent message extension attack.
• If the message is
– multiple of block size, sub-key k1 is added to the last block.
– padded, sub-key k2 is added to the last block.
• Leftmost t bits of the encrypted output are used as MAC
of size t.
m1 m2 m3 m1 m2 m3
Pad
IV k1 IV k2
+ + + + + +
K K K K K K

MAC MAC

P C Gupta 23