lecture 9.pdf

Full Transcript

University of Science and Technology
Faculty of Computer Science and Information Technology
Department of Information and Communication Technology
Network Security: Lecture (9)
Message Authentication
Instructor: Prof. Noureldien A. Noureldien

In addition to message confidentiality, message authentication is an important
networksecurity function. This chapter examines three aspects of message
authentication. First,we look at the use of message authentication codes and hash
functions to provide messageauthentication. Then we look at public-key encryption
principles and two specificpublic-key algorithms. These algorithms are useful in
the exchange of conventionalencryption keys. Then we look at the use of public-
key encryption to produce digitalsignatures, which provides an enhanced form of
message authentication.

Approaches to Message Authentication
Encryption protects against passive attack (eavesdropping). A different
requirementis to protect against active attack (falsification of data and
transactions).
Protection against such attacks is known as message authentication.

A message, file, document, or other collection of data is said to be authenticwhen it
is genuine and comes from its alleged source. Message authentication is
aprocedure that allows communicating parties to verify that received messages
areauthentic.1 The two important aspects are to verify that the contents of the
messagehave not been altered and that the source is authentic. We may also wish
toverify a message’s timeliness (it has not been artificially delayed and replayed)
andsequence relative to other messages flowing between two parties. All of these
concernscome under the category of data integrity.

1. Authentication Using Conventional Encryption

It would seem possible to perform authentication simply by the use of
symmetricencryption. If we assume that only the sender and receiver share a key
(which is as itshould be), then only the genuine sender would be able to encrypt a

1
message successfullyfor the other participant, provided the receiver can recognize
a valid message.
Furthermore, if the message includes an error-detection code and a sequence
number,the receiver is assured that no alterations have been made and that
sequencingis proper. If the message also includes a timestamp, the receiver is
assured that themessage has not been delayed beyond that normally expected for
network transit.

2. Message Authentication without Message Encryption

In this section, we examine several approaches to message authentication that
donot rely on encryption. In all of these approaches, an authentication tag is
generatedand appended to each message for transmission. The message itself is not
encryptedand can be read at the destination independent of the authentication
function at thedestination.

Typically, however, message authentication isprovided as a separate function from
message encryption. [DAVI89] suggests threesituations in which message
authentication without confidentiality is preferable:
1. There are a number of applications in which the same message is broadcast toa
number of destinations. Two examples are notification to users that the networkis
now unavailable and an alarm signal in a control center. It is cheaperand more
reliable to have only one destination responsible for monitoring authenticity.
Thus, the message must be broadcast in plaintext with an associatedmessage
authentication tag. The responsible system performs authentication. Ifa violation
occurs, the other destination systems are alerted by a general alarm.
2. Another possible scenario is an exchange in which one side has a heavy load
andcannot afford the time to decrypt all incoming messages. Authentication is
carriedout on a selective basis with messages being chosen at random for checking.
3. Authentication of a computer program in plaintext is an attractive service.
The computer program can be executed without having to decrypt it everytime,
which would be wasteful of processor resources. However, if a
messageauthentication tag were attached to the program, it could be checked
wheneverassurance is required of the integrity of the program.

Message Authentication Code
One authentication technique involves the use ofa secret key to generate a small
block of data, known as a message authenticationcode (MAC) that is appended to
the message. This technique assumes that twocommunicating parties, say A and B,
2
share a common secret key KAB. When Ahas a message to send to B, it calculates
the message authentication code as a functionof the message and the key: MACM
= F(KAB, M). The message plus code aretransmitted to the intended recipient. The
recipient performs the same calculationon the received message, using the same
secret key, to generate a new messageauthentication code. The received code is
compared to the calculated code(Figure 3.1).

If we assume that only the receiver and the sender know the identityof the secret
key, and if the received code matches the calculated code, then the
followingstatements apply:
1. The receiver is assured that the message has not been altered. If an attackeralters
the message but does not alter the code, then the receiver’s calculationof the code
will differ from the received code. Because the attacker isassumed not to know the
secret key, the attacker cannot alter the code to correspondto the alterations in the
message.

2. The receiver is assured that the message is from the alleged sender. Becauseno
one else knows the secret key, no one else could prepare a message with aproper
code.

3
3. If the message includes a sequence number (such as is used with HDLC
andTCP), then the receiver can be assured of the proper sequence, because
anattacker cannot successfully alter the sequence number.

One-Way Hash Function
An alternative to the message authentication code isthe one-way hash function.
As with the message authentication code, a hash functionaccepts a variable-size
message M as input and produces a fixed-size messagedigest H(M) as output.
Unlike the MAC, a hash function does not take a secret keyas input. To
authenticate a message, the message digest is sent with the message insuch a way
that the message digest is authentic.

Figure 3.2 illustrates three ways in which the message can be authenticated.The
message digest can be encrypted using conventional encryption (part a);if it is
assumedthat only the sender and receiver share the encryption key,
thenauthenticity
is assured. The message digest can be encrypted using public-keyencryption(part
b); this is explained in Section 3.5. The public-key approach hastwo advantages:

(1) It provides a digital signature as well as message authentication.
(2) It does not require the distribution of keys to communicating parties.

These two approaches also have an advantage over approaches that encryptthe
entire message in that less computation is required.

Nevertheless, there hasbeen interest in developing a technique that avoids
encryption altogether. Severalreasons for this interest are pointed out in [TSUD92]:
Encryption software is quite slow. Even though the amount of data to be
encryptedper message is small, there may be a steady stream of messages intoand
out of a system.
Encryption hardware costs are nonnegligible. Low-cost chip implementationsof
DES are available, but the cost adds up if all nodes in a network must havethis
capability.
Encryption hardware is optimized toward large data sizes. For small blocks of
data, a high proportion of the time is spent in initialization/invocation overhead.
An encryption algorithm may be protected by a patent.
Figure 3.2c shows a technique that uses a hash function but no encryptionfor
message authentication. This technique assumes that two communicating parties,

4
say A and B, share a common secret value SAB. When A has a message tosend to
B, it calculates the hash function over the concatenation of the secret value and the
message: MDM = H(SAB }M).2 It then sends [M}MDM] to B. Because Bpossesses
SAB, it can recompute H(SAB }M) and verify MDM. Because the secretvalue itself
is not sent, it is not possible for an attacker to modify an interceptedmessage. As
long as the secret value remains secret, it is also not possible for an attackerto
generate a false message.

5