MADIS SARALITA – 5112100038 Keamanan Informasi dan Jaringan (C)
PART 3 : CRYPTOGRAPHIC
DATA INTEGRITY ALGORITHMS
CHAPTER 11
CRYPTOGRAPHIC HASH FUNCTIONS
CHAPTER 12
MESSAGE AUTHENTICATION CODES
CHAPTER 13
CHAPTER 11
CRYPTOGRAPHIC HASH FUNCTIONS
Hash function is labeled by H. H has input a variable-length block of ata M and the
output is a fixed-size hash value h = H(M). The puprose of a hash function is data integrity.
Cryptographic hash function is an algorithm that can solve infeasible computational. Because
of that, hash function are often used to determine data changes.
11.1 APPLICATIONS OF CRYPTOGRAPHIC HASH FUNCTIONS
Message Authentication
Message authentication is a system to verify integrity of message. It ensures that message received are real and contain no modification. In message authentication, the hash function have value that is referred as message digest. Some method do not provide encrypt system because :
Encryption software is relatively slow.
High costs for encryption hardware.
Encryption hardware is not optimized for small blocks of data.
Cost for the licensed encryption algorithms.
Message Authentication Code (MAC) is the most commonly function of message authentication. It also known as a keyed hash function which are used to authenticate information exchanged between two parties.
Digital Signatures
Digital signature is a system that is simiar to MAC. Hash value in this system is encrypted with a user’s private key.If anyone know the user’s public key, the message can be verified. This is step how a hash code provide digital signature:
The hash code is encrypted using public key encryption with the sender’s private key.
Then, the message plus the private key encrypted hash code can be encrypted using a symmetric secret key.
Other Applications
Hash function are commonly purposed to make a one-way password file.
Hash function can be used for intrusion detection.
Hash function also can be used for virus detection.
Pseudorandom Function (PRF) or a Pseudorandom Number Generator (PRNG) can be constructed by a cryptogrpahic hash function.
11.2 TWO SIMPLE HASH FUNCTIONS
That operation will produce a simple parity for each bit position. It also known as a longitudinal redundancy check.
Other simplest hash function is using rotated XOR(RXOR). This procedure has effect to randomize the input more completely. Message M that is consists of a sequence of 64-bit block define hash code by
Then, the message plus hash code is encrypted using CBC mode to produce encrypted message.
But XN+1 is the hash code :
The hash code would not change if the ciphertext blocks were permuted.
11.3 REQUIREMENTS AND SECURITY
Security Requirements for Cryptographic Hash Functions
h = H(x)x is the preimage of h which is consist of data block. Because H is a many-to-one mapping, a collision occurs if we have x ≠ y and H(x) = H(y). This collisions are clearly undesirable.
Requirements for a Cryptographic Hash Function H :
Variable input size
Fixed output size
Efficiency
Preimage resistant (one-way property)
Second preimage resistant (weak collision resistant)
Collision resistant (strong collision resistant)
Pseudorandomness
Brute-Force Attacks
Brute-force attack depend only on bit length of the hash value.
Brute-force attack does not depend on the specific algorithm.
Hash function resistance properties required for various data integrity applications
Cryptanalysis
Cryptanalytic on hash function attack by exploiting some property of the algorithm.
Ideal hash algorithm require more effort than or equal to the brute-force effort.
The hash algorithm use a compression function repeatedly.
The function takes two inputs, chaining variable and a b-bit block.
The function produces an n-bit output.
The hash function can be summarized as
Cryptanalytic attacks focuse on the internal structure of the compression function.
11.4 HASH FUNCTIONS BASED ON CIPHER BLOC K CHAINING
Based on CBC, hash function divide a message M into fixed size blocks and use a symmetric encryption system to compute the hash code G as
The differences is no secret key in this case.
Step of the algorithm :
o Calculate the unencrypted hash code G.
o Construct any desired message in the form Q1, Q2, . . . , QN-2. o Compute Hi = E(Qi, Hi-1) for 1 ≤ i ≤ (N-2).
o Generate random blocks.
o Based on the birthday paradox, with high probability there will be an X and Y such that E(X, HN-2) = D(Y, G).
o Form the message Q1, Q2, . . . , QN-2, X, Y. This message has the hash code that can be
used with the intercepted encrypted signature.
11.5 SECURE HASH ALG ORITHM (SHA)
Secure Hash Algorithm (SHA) is the most widely used hash function.
SHA-512 Logic
Has input a message with maximum length is less than 2128 bits.
The input is processed in 1024-bit blocks.
Produce output a 512-bit message digest.
Comparison of SHA Parameters
Step of the algorithm : o Append padding bits. o Append length. o Initialize hash buffer.
o Process message in 1024-bit (128-word) blocks. o Output.
SHA-512 Round Function
Each round is defined by the following set of equations :
The remaining values are defined as :
11.6 SHA-3
Beyond on the basic requirements, NIST has defined a set of evaluation criteria that are designed to include digital signatures, hashed message authentication codes, key generation, and pseudorandom number generation. It is known as SHA-3.
SHA-3 algorithms are designed to resist any potentially successful attack on SHA-2 functions.
SHA-3 should be efficient over a range of hardware platforms (time and memory).
SHA-3 is more flexible.
Pertanyaan :
Berdasarkan sumber yang saya baca di internet, ketika menggunakan SHA12, ditambahkan sejumlah bit pengganjal sehingga panjang pesan kongruen dengan 896 mod 1024. Bagaimana caranya untuk meng-kongruen-kan pesan tersebut? Dan mengapa harus kongruen dengan 896 mod 1024?SOURCE
CHAPTER 12
MESSAGE AUTHENTICATION CODES
12.1 MESSAGE AUTHENT ICATION REQUIREMENTS
Disclosure
Release content of message to any person or process that do not have appropriate cryptographoc key.
Traffic analysis
Discovery the pattern of traffic.
Masquerade
Modify the message into the network from an authorized source.
Content modification
Changes contents of a message.
Sequence modification Modify sequence of message.
Timing modification Delay or replay of message
Source repudiation
Message transmision is denied by souce.
Destination repudiation
Message receipt is denied by destination.
12.2 MESSAGE AUTHENT ICATION FUNCTIONS
Types of functions that may be used to produce an authenticator :
Hash function
Message encryption
Message authentication code (MAC)
Message Encryption
Symmetric Encryption
Symmetric encryption provides authentication as well as confidentiality.
It may be difficult to determine if incoming ciphertext decrypts to intelligible plaintext.
The solution is by forcing the plaintext to have some structure that is easily recognized.
The plaintext could not be replicated without resource to the encryption function.
With internal error control, authentication is provided to complicate producing of ciphertext which have valid error control bits when decrypted.
Public-Key Encryption
Public-key encryption is used to provide confidentiality.
Public-key encryption can not used to provide authentication.
To provide both confidentiality and authentication, sender can encrypt the message first using its private key which provides the digital signature, then using receiver public key which provides confidentiality.
The disadvantages is complexity of the public-key algorithm.
Message Authentication Code
Message Authentication Code (MAC) also known as cryptographic checksum is an alternative technique of autentication that use a secret key to generate a small fixed-size block of data.
MAC function
MAC algorithm need not be reversible.
MAC function is a many-to-one function.
In the first case, MAC is calculated with the message as input, and them the entire block is encrypted.
In the second case, the message is encrypted first, then MAC is calculated using the result of ciphertext.
MAC does not provide a digital signature because both sender and receiver share the same key.
12.3 REQUIREMENTS FOR MESSAGE AUTHENTICATION COD ES
Consider the following MAC algorithm. Let M = (X1 || X2 || . . . || Xm) be a message that is
treated as a concatenation of 64-bit blocks Xi .Then define
The opponent can attack the system by replacing X through Y which is calculated as
If an opponent observes M and MAC(K,M), it should be computationally infeasible for the opponent to construct a message M’ such that MAC(K, M’) = MAC(K, M).
MAC(K, M) should be uniformly distributed in the sense that for randomly chosen messages, M and M’, the probability that MAC(K, M) = MAC(K,M’) is 2-n ,where n is
the number of bits in the tag.
12.4 SECURITY OF MAC S
Brute-Force Attacks
Brute-force attack on MAC is more difficult than on a hash function because it requires known message-tag pairs. If an attacker can determine the MAC key, so a valid MAC value is possible generated for any input x. And if more than one key is found, so additional text-tag pairs must be tested.
Attacker can also work without attempting to recover the key. The objective is to find a message that matches a given tag. The attack cannot be conducted off line without further input. So, the attacker will require chosen text-tag pairs.
Cryptanalysis
Cryptanalysis attacks on MAC by complicating some property of algorithm.
An ideal MAC algorithm will require more effort than or equal to the brute-force effort.
The structure of MACs is more variety than in hash function, so it is difficult to generelize about the cryptanalysis of MACs.
12.5 MACS BASED ON HASH FUNCTIONS:HMAC
Cryptographic hash functions such as MD5 and SHA is faster than symmetric block ciphers such as DES when executed in software. And there are many library code for cryptographic hash functions can be used.
HMAC Design Objectives
The objectives for HMAC To make hash function perform well and the code is freely available.
To make replaceability of the hash function easily.
To keep the original performance of the hash function,
To solve the key by simple way.
HMAC Algorithm
Picture above is the HMAC structure. Then, HMAC can be expressed as
H is a cryptographic hash function,
K is a secret key padded to the right with extra zeroes to the input block size of the hash function, or the hash of the original key if it's longer than that block size,
m is the message to be authenticated,
| denotes concatenation,
⊕ denotes exclusive or (XOR),
opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),
ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
Security of HMAC
The cryptographic strength of the HMAC depends upon the size of the secret key that is used. The most common attack against HMACs is brute force to uncover the secret key. HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.
12.6 MACS BASED ON B LOCK CIPHERS: DAA AN D CMAC
Data Authentication Algorithm
The Data Authentication Algorithm (DAA) is an older algorithm that used for producing cryptographic message authentication codes. According to the standard, a code produced by the DAA is called a Data Authentication Code (DAC). The algorithm chain encrypts the data, with the last cipher block truncated and used as the DAC.
Cipher-Based Message Authentication Code (CMAC)
CMAC (Cipher-based Message Authentication Code) is a block cipher-based message authentication code algorithm. It may be used to provide assurance of the authenticity and the
depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible degree-b binary polynomial with the minimal number of ones.)
3. If msb(k1) = 0, then k2 = k1≪ 1, else k2 = (k1≪ 1) ⊕C.
4. Return keys (k1, k2) for the MAC generation process.
12.7 AUTHENTICATED E NCRYPTION: CCM AND GCM
Four common approaches to providing both confidentiality and encryption for a message :
HtE: Hash-then-encrypt
MtE: MAC-then-encrypt
EtM: Encrypt-then-MAC
E&M: Encrypt-and-MAC
Counter with Cipher Block Chaining-Message Authentication Code
CCM is a variation of the encrypt-and-MAC. It approach to authenticated encryption. The input to the CCM encryption process consists of three elements :
Data that will be both authenticated and encrypted.
Associated data A that will be authenticated but not encrypted.
A nonce N that is assigned to the payload and the associated data.
Galois/Counter Mode
Galois/Counter Mode (GCM) is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance. GCM throughput rates for state of the art, high speed communication channels can be achieved with reasonable hardware resources. It is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128 bits.
The authentication tag is constructed by feeding blocks of data into the GHASH function, and encrypting the result. This GHASH function is defined by
where variable of Xi is defined as
GCM is ideal for protecting packetized data, because it has minimum latency and minimum operation overhead.
12.8 PSEUDORANDOM NUMBER GENERATION USING HASH FUNCTIONS AND MACS
PRNG Based on Hash function
The algorithm need input:V = seed
Seedlen = bit length of V ≥ k + 64, where k is a desired security level expressed in bits n = desired number of output bits
PRNG Based on MAC function
Higher degree of confidence can be achieved by using a MAC. A MAC-based PRNG is constructed with HMAC. This is because HMAC is widely implemented in many protocols and applications.
There are two inputs in MAC function, a key K and a seed V. The combination of K and V will make overall seed for the PRNG specified. If we assume that HMAC is secure, knowledge of the input and output should not be sufficient to recover K and hence not sufficient to predict future pseudorandom bits.
Pertanyaan :
Dalam HMAC, ketika pengirim mengirim hashing, dia juga mengirim hashing key. Ketika hasing dan hashing key ini digabung maka akan membentuk suatu nilai baru. Apa fungsi nilai yang dihasilkan ini?SOURCE
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice Hall, 2011.
http://en.wikipedia.org/wiki/Hash-based_message_authentication_code diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Data_Authentication_Algorithm diakses pada 27 April 2015
http://en.wikipedia.org/wiki/CMAC diakses pada 27 April 2015
CHAPTER 13
DIGITAL SIGNATURES
13.1 DIGITAL SIGNATURES
Properties
Picture above is generic model of digital signature process. The digital signature must have the following properties :
The author and the date and time of the signature must be verified.
The contents at the time of the signature must be authenticated.
Must be verifiable by third parties, to resolve disputes.
Attacks and Forgeries
Key-only attack: A’s public key is known by C.
Known message attack: A set of messages and signatures are given to C.
Generic chosen message attack: C chooses a list of messages before break A’s signature scheme.
Directed chosen message attack: Similar to the generic attack, but the list of messages is chosen after C knows A’s public key but before any signatures are seen.
Digital Signature Requirements
The signature must be a bit pattern.
The signature must use unique information.
Can produce the digital signature easily.
Can recognize and verify the digital signature easily.
Computationally infeasible.
Can retain a copy of the digital signature.
Direct Digital Signature
Commonly, the term of direct digital signature is dependent with the only communicating parties. By encrypting the entire message plus signature with a shared secret key (symmetric encryption), confidentiality is ensured.
13.2 ELGAMAL DIGITAL SIGNATURE SCHEME
The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms.
Let H be a collision-resistant hash function.
Let p be a large prime such that computing discrete logarithms modulo p is difficult. Let g < p be a randomly chosen generator of the multiplicative group of integers modulo p .
These steps are performed once by the signer.
Signature generation
To sign a message m the signer performs the following steps.
Choose a random k such that 1 < k < p− 1 and gcd(k, p− 1) = 1. Compute
Compute
If s = 0 start over again.
Then the pair (r,s) is the digital signature of m. The signer repeats these steps for every signature.
Verification
A signature (r,s) of a message m is verified as follows. 0 < r < p and 0 < s < p - 1.
Correctness
The algorithm is correct in the sense that a signature generated with the signing algorithm will always be accepted by the verifier.
The signature generation implies
Hence Fermat's little theorem implies
13.3 SCHNORR DIGITAL SIGNATURE SCHEME
In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature algorithm. Its security is based on the intractability of certain discrete logarithm problems. The Schnorr signature is considered the simplest digital signature scheme to be provably secure in a random oracle model. It is efficient and generates short signatures.
The first scheme is generate a private/public key pair by this following steps.
1. Choose primes p and q, such that q is a prime factor of p-1. 2. Choose an integer a, such that αq = 1 mod p.
3. Choose a random integer s with 0 < s < q. 4. Calculate v = a-s.
And then a user with private key s and public key v generates a signature :
1. Choose a random integer r with 0 < r < q and compute x = ar mod p.
2. Concatenate the message with x and hash the result to compute the value e : e = H(M||x)
3. Compute y = (r + se) mod q.The signature consists of the pair (e, y).
Any other user can verify the signature as follows.
1. Compute x’ = ayvemod p.
2. Verify that e = H(M||x’).
To see that the verification works, observe
13.4 DIGITAL SIGNATUR E STANDARD
The DSS Approach
Designed to provide only the digital signature.
DSS cannpt be used for encryption or key exchange.
DSS uses a public-key technique.
The signature function depends on the sender’s private key.
With knowledge of the private key, the signature function could have produced the valid signature.
The Digital Signature Algorithm
This is the algorithm
With DSA, the entropy, secrecy, and uniqueness of the random signature value k is critical. It is so critical that violating any one of those three requirements can reveal the entire private key to an attacker. Using the same value twice (even while keeping k secret), using a predictable value, or leaking even a few bits of k in each of several signatures, is enough to break DSA.
Pertanyaan :
Dalam DSA, jika proses signature generation mneghasilkan nilai s = 0, mengapa dihasilkan nilai baru k dan tanda tangannya harus dihitung ulang?SOURCE
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice Hall, 2011.
http://en.wikipedia.org/wiki/ElGamal_signature_scheme diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Schnorr_signature diakses pada 27 April 2015