lecture 9.pdf
Document Details
Uploaded by StylishSpessartine
جامعة العلوم والتقانة
Related
- PCSII Depression/Anxiety/Strong Emotions 2024 Document
- A Concise History of the World: A New World of Connections (1500-1800)
- Human Bio Test PDF
- University of Santo Tomas Pre-Laboratory Discussion of LA No. 1 PDF
- Vertebrate Pest Management PDF
- Lg 5 International Environmental Laws, Treaties, Protocols, and Conventions
Full Transcript
University of Science and Technology Faculty of Computer Science and Information Technology Department of Information and Communication Technology Network Security: Lecture (9) Message Authentication Instructor: Prof. Noureldien A. Noureldien...
University of Science and Technology Faculty of Computer Science and Information Technology Department of Information and Communication Technology Network Security: Lecture (9) Message Authentication Instructor: Prof. Noureldien A. Noureldien In addition to message confidentiality, message authentication is an important networksecurity function. This chapter examines three aspects of message authentication. First,we look at the use of message authentication codes and hash functions to provide messageauthentication. Then we look at public-key encryption principles and two specificpublic-key algorithms. These algorithms are useful in the exchange of conventionalencryption keys. Then we look at the use of public- key encryption to produce digitalsignatures, which provides an enhanced form of message authentication. Approaches to Message Authentication Encryption protects against passive attack (eavesdropping). A different requirementis to protect against active attack (falsification of data and transactions). Protection against such attacks is known as message authentication. A message, file, document, or other collection of data is said to be authenticwhen it is genuine and comes from its alleged source. Message authentication is aprocedure that allows communicating parties to verify that received messages areauthentic.1 The two important aspects are to verify that the contents of the messagehave not been altered and that the source is authentic. We may also wish toverify a message’s timeliness (it has not been artificially delayed and replayed) andsequence relative to other messages flowing between two parties. All of these concernscome under the category of data integrity. 1. Authentication Using Conventional Encryption It would seem possible to perform authentication simply by the use of symmetricencryption. If we assume that only the sender and receiver share a key (which is as itshould be), then only the genuine sender would be able to encrypt a 1 message successfullyfor the other participant, provided the receiver can recognize a valid message. Furthermore, if the message includes an error-detection code and a sequence number,the receiver is assured that no alterations have been made and that sequencingis proper. If the message also includes a timestamp, the receiver is assured that themessage has not been delayed beyond that normally expected for network transit. 2. Message Authentication without Message Encryption In this section, we examine several approaches to message authentication that donot rely on encryption. In all of these approaches, an authentication tag is generatedand appended to each message for transmission. The message itself is not encryptedand can be read at the destination independent of the authentication function at thedestination. Typically, however, message authentication isprovided as a separate function from message encryption. [DAVI89] suggests threesituations in which message authentication without confidentiality is preferable: 1. There are a number of applications in which the same message is broadcast toa number of destinations. Two examples are notification to users that the networkis now unavailable and an alarm signal in a control center. It is cheaperand more reliable to have only one destination responsible for monitoring authenticity. Thus, the message must be broadcast in plaintext with an associatedmessage authentication tag. The responsible system performs authentication. Ifa violation occurs, the other destination systems are alerted by a general alarm. 2. Another possible scenario is an exchange in which one side has a heavy load andcannot afford the time to decrypt all incoming messages. Authentication is carriedout on a selective basis with messages being chosen at random for checking. 3. Authentication of a computer program in plaintext is an attractive service. The computer program can be executed without having to decrypt it everytime, which would be wasteful of processor resources. However, if a messageauthentication tag were attached to the program, it could be checked wheneverassurance is required of the integrity of the program. Message Authentication Code One authentication technique involves the use ofa secret key to generate a small block of data, known as a message authenticationcode (MAC) that is appended to the message. This technique assumes that twocommunicating parties, say A and B, 2 share a common secret key KAB. When Ahas a message to send to B, it calculates the message authentication code as a functionof the message and the key: MACM = F(KAB, M). The message plus code aretransmitted to the intended recipient. The recipient performs the same calculationon the received message, using the same secret key, to generate a new messageauthentication code. The received code is compared to the calculated code(Figure 3.1). If we assume that only the receiver and the sender know the identityof the secret key, and if the received code matches the calculated code, then the followingstatements apply: 1. The receiver is assured that the message has not been altered. If an attackeralters the message but does not alter the code, then the receiver’s calculationof the code will differ from the received code. Because the attacker isassumed not to know the secret key, the attacker cannot alter the code to correspondto the alterations in the message. 2. The receiver is assured that the message is from the alleged sender. Becauseno one else knows the secret key, no one else could prepare a message with aproper code. 3 3. If the message includes a sequence number (such as is used with HDLC andTCP), then the receiver can be assured of the proper sequence, because anattacker cannot successfully alter the sequence number. One-Way Hash Function An alternative to the message authentication code isthe one-way hash function. As with the message authentication code, a hash functionaccepts a variable-size message M as input and produces a fixed-size messagedigest H(M) as output. Unlike the MAC, a hash function does not take a secret keyas input. To authenticate a message, the message digest is sent with the message insuch a way that the message digest is authentic. Figure 3.2 illustrates three ways in which the message can be authenticated.The message digest can be encrypted using conventional encryption (part a);if it is assumedthat only the sender and receiver share the encryption key, thenauthenticity is assured. The message digest can be encrypted using public-keyencryption(part b); this is explained in Section 3.5. The public-key approach hastwo advantages: (1) It provides a digital signature as well as message authentication. (2) It does not require the distribution of keys to communicating parties. These two approaches also have an advantage over approaches that encryptthe entire message in that less computation is required. Nevertheless, there hasbeen interest in developing a technique that avoids encryption altogether. Severalreasons for this interest are pointed out in [TSUD92]: Encryption software is quite slow. Even though the amount of data to be encryptedper message is small, there may be a steady stream of messages intoand out of a system. Encryption hardware costs are nonnegligible. Low-cost chip implementationsof DES are available, but the cost adds up if all nodes in a network must havethis capability. Encryption hardware is optimized toward large data sizes. For small blocks of data, a high proportion of the time is spent in initialization/invocation overhead. An encryption algorithm may be protected by a patent. Figure 3.2c shows a technique that uses a hash function but no encryptionfor message authentication. This technique assumes that two communicating parties, 4 say A and B, share a common secret value SAB. When A has a message tosend to B, it calculates the hash function over the concatenation of the secret value and the message: MDM = H(SAB }M).2 It then sends [M}MDM] to B. Because Bpossesses SAB, it can recompute H(SAB }M) and verify MDM. Because the secretvalue itself is not sent, it is not possible for an attacker to modify an interceptedmessage. As long as the secret value remains secret, it is also not possible for an attackerto generate a false message. 5