Cryptography and Network Security (4th Edition)
11.2. Authentication Functions
Any message authentication or digital signature mechanism has two levels of functionality. At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message. This lower-level function is then used as a primitive in a higher-level authentication protocol that enables a receiver to verify the authenticity of a message. This section is concerned with the types of functions that may be used to produce an authenticator. These may be grouped into three classes, as follows:
We now briefly examine each of these topics; MACs and hash functions are then examined in greater detail in Sections 11.3 and 11.4. Message Encryption
Message encryption by itself can provide a measure of authentication. The analysis differs for symmetric and public-key encryption schemes. Symmetric Encryption
Consider the straightforward use of symmetric encryption (Figure 11.1a). A message M transmitted from source A to destination B is encrypted using a secret key K shared by A and B. If no other party knows the key, then confidentiality is provided: No other party can recover the plaintext of the message. Figure 11.1. Basic Uses of Message Encryption |
A |
•Provides confidentiality |
Only A and B share K |
•Provides a degree of authentication |
Could come only from A Has not been altered in transit Requires some formatting/redundancy |
•Does not provide signature |
Receiver could forge message Sender could deny message |
(a) Symmetric encryption |
A |
• Provides confidentiality |
Only B has PRb to decrypt |
• Provides no authentication |
Any party could use PUb to encrypt message and claim to be A |
(b) Public-key (asymmetric) encryption: confidentiality |
A |
• Provides authentication and signature |
Only A has PRb to encrypt Has not been altered in transit Requires some formatting/redundancy Any party can use PUa to verify signature |
(c) Public-key encryption: authentication and signature |
A |
• Provides confidentiality because of PUb |
• Provides authentication and signature because of PRa |
(d) Public-key encryption: confidentiality, authentication, and signature |
Message Authentication Code
An alternative authentication technique involves the use of a secret key to generate a small fixed-size block of data, known as a cryptographic checksum or MAC that is appended to the message. This technique assumes that two communicating parties, say A and B, share a common secret key K. When A has a message to send to B, it calculates the MAC as a function of the message and the key:MAC = C(K, M), where
M | = input message |
C | = MAC function |
K | = shared secret key |
MAC | = message authentication code |
The message plus MAC are transmitted to the intended recipient. The recipient performs the same calculation on the received message, using the same secret key, to generate a new MAC. The received MAC is compared to the calculated MAC (Figure 11.4a). If we assume that only the receiver and the sender know the identity of the secret key, and if the received MAC matches the calculated MAC, then
The receiver is assured that the message has not been altered. If an attacker alters the message but does not alter the MAC, then the receiver's calculation of the MAC will differ from the received MAC. Because the attacker is assumed not to know the secret key, the attacker cannot alter the MAC to correspond to the alterations in the message.
[Page 325] The receiver is assured that the message is from the alleged sender. Because no one else knows the secret key, no one else could prepare a message with a proper MAC.
If the message includes a sequence number (such as is used with HDLC, X.25, and TCP), then the receiver can be assured of the proper sequence because an attacker cannot successfully alter the sequence number.
Figure 11.4. Basic Uses of Message Authentication Code (MAC)
A MAC function is similar to encryption. One difference is that the MAC algorithm need not be reversible, as it must for decryption. In general, the MAC function is a many-to-one function. The domain of the function consists of messages of some arbitrary length, whereas the range consists of all possible MACs and all possible keys. If an n-bit MAC is used, then there are 2n possible MACs, whereas there are N possible messages with N >> 2n. Furthermore, with a k-bit key, there are 2k possible keys.
For example, suppose that we are using 100-bit messages and a 10-bit MAC. Then, there are a total of 2100 different messages but only 210 different MACs. So, on average, each MAC value is generated by a total of 2100/210 = 290 different messages. If a 5-bit key is used, then there are 25 = 32 different mappings from the set of messages to the set of MAC values.
It turns out that because of the mathematical properties of the authentication function, it is less vulnerable to being broken than encryption.
The process depicted in Figure 11.4a provides authentication but not confidentiality, because the message as a whole is transmitted in the clear. Confidentiality can be provided by performing message encryption either after (Figure 11.4b) or before (Figure 11.4c) the MAC algorithm. In both these cases, two separate keys are needed, each of which is shared by the sender and the receiver. In the first case, the MAC is calculated with the message as input and is then concatenated to the message. The entire block is then encrypted. In the second case, the message is encrypted first. Then the MAC is calculated using the resulting ciphertext and is concatenated to the ciphertext to form the transmitted block. Typically, it is preferable to tie the authentication directly to the plaintext, so the method of Figure 11.4b is used.
Because symmetric encryption will provide authentication and because it is widely used with readily available products, why not simply use this instead of a separate message authentication code? [DAVI89] suggests three situations in which a message authentication code is used:
There are a number of applications in which the same message is broadcast to a number of destinations. Examples are notification to users that the network is now unavailable or an alarm signal in a military control center. It is cheaper and more reliable to have only one destination responsible for monitoring authenticity. Thus, the message must be broadcast in plaintext with an associated message authentication code. The responsible system has the secret key and performs authentication. If a violation occurs, the other destination systems are alerted by a general alarm.
Another possible scenario is an exchange in which one side has a heavy load and cannot afford the time to decrypt all incoming messages. Authentication is carried out on a selective basis, messages being chosen at random for checking.
Authentication of a computer program in plaintext is an attractive service. The computer program can be executed without having to decrypt it every time, which would be wasteful of processor resources. However, if a message authentication code were attached to the program, it could be checked whenever assurance was required of the integrity of the program.
Three other rationales may be added, as follows:
For some applications, it may not be of concern to keep messages secret, but it is important to authenticate messages. An example is the Simple Network Management Protocol Version 3 (SNMPv3), which separates the functions of confidentiality and authentication. For this application, it is usually important for a managed system to authenticate incoming SNMP messages, particularly if the message contains a command to change parameters at the managed system. On the other hand, it may not be necessary to conceal the SNMP traffic.
Separation of authentication and confidentiality functions affords architectural flexibility. For example, it may be desired to perform authentication at the application level but to provide confidentiality at a lower level, such as the transport layer.
A user may wish to prolong the period of protection beyond the time of reception and yet allow processing of message contents. With message encryption, the protection is lost when the message is decrypted, so the message is protected against fraudulent modifications only in transit but not within the target system.
Finally, note that the MAC does not provide a digital signature because both sender and receiver share the same key.
Table 11.2 summarizes the confidentiality and authentication implications of the approaches illustrated in Figure 11.4.
A |
•Provides authentication |
Only A and B share K |
(a) Message authentication |
A |
• Provides authentication |
Only A and B share K1 |
• Provides confidentiality |
Only A and B share K2 |
(b) Message authentication and confidentiality: authentication tied to plaintext |
A |
• Provides authentication |
Using K1 |
• Provides confidentiality |
Using K2 |
(c) Message authentication and confidentiality: authentication tied to ciphertext |
Hash Function
A variation on the message authentication code is the one-way hash function. As with the message authentication code, a hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M). Unlike a MAC, a hash code does not use a key but is a function only of the input message. The hash code is also referred to as a message digest or hash value. The hash code is a function of all the bits of the message and provides an error-detection capability: A change to any bit or bits in the message results in a change to the hash code.
Figure 11.5 illustrates a variety of ways in which a hash code can be used to provide message authentication, as follows:
The message plus concatenated hash code is encrypted using symmetric encryption. This is identical in structure to the internal error control strategy shown in Figure 11.2a. The same line of reasoning applies: Because only A and B share the secret key, the message must have come from A and has not been altered. The hash code provides the structure or redundancy required to achieve authentication. Because encryption is applied to the entire message plus hash code, confidentiality is also provided.
Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden for those applications that do not require confidentiality.
[Page 330] Note that the combination of hashing and encryption results in an overall function that is, in fact, a MAC (Figure 11.4a). That is, E(K, H(M)) is a function of a variable-length message M and a secret key K, and it produces a fixed-size output that is secure against an opponent who does not know the secret key.
Only the hash code is encrypted, using public-key encryption and using the sender's private key. As with (b), this provides authentication. It also provides a digital signature, because only the sender could have produced the encrypted hash code. In fact, this is the essence of the digital signature technique.
If confidentiality as well as a digital signature is desired, then the message plus the private-key-encrypted hash code can be encrypted using a symmetric secret key. This is a common technique.
It is possible to use a hash function but no encryption for message authentication. The technique assumes that the two communicating parties share a common secret value S. A computes the hash value over the concatenation of M and S and appends the resulting hash value to M. Because B possesses S, it can recompute the hash value to verify. Because the secret value itself is not sent, an opponent cannot modify an intercepted message and cannot generate a false message.
Confidentiality can be added to the approach of (e) by encrypting the entire message plus the hash code.
Figure 11.5. Basic Uses of Hash Function (This item is displayed on page 329 in the print version)
When confidentiality is not required, methods (b) and (c) have an advantage over those that encrypt the entire message in that less computation is required. Nevertheless, there has been growing interest in techniques that avoid encryption (Figure 11.5e). Several reasons for this interest are pointed out in [TSUD92]:
Encryption software is relatively slow. Even though the amount of data to be encrypted per message is small, there may be a steady stream of messages into and out of a system.
Encryption hardware costs are not negligible. Low-cost chip implementations of DES are available, but the cost adds up if all nodes in a network must have this capability.
Encryption hardware is optimized toward large data sizes. For small blocks of data, a high proportion of the time is spent in initialization/invocation overhead.
Encryption algorithms may be covered by patents. For example, until the patent expired, RSA was patented and had to be licensed, adding a cost.
Table 11.3 summarizes the confidentiality and authentication implications of the approaches illustrated in Figure 11.5. We next examine MACs and hash codes in more detail.
A | A |
• Provides confidentiality | • Provides authentication and digital signature |
Only A and B share K | • Provides confidentiality |
• Provides authentication | Only A and B share K |
H(M) is cryptographically protected | |
(a) Encrypt message plus hash code | (d) Encrypt result of (c)shared secret key |
A | A |
• Provides authentication | • Provides authentication |
H(M) is cryptographically protected | Only A and B share S |
(b) Encrypt hash codeshared secret key | (e) Compute hash code of message plus secret value |
A | A |
• Provides authentication and digital signature | • Provides authentication |
H(M) is cryptographically protected | Only A and B share S |
Only A could create E(PRa, H(M)) | • Provides confidentiality |
Only A and B share K | |
(c) Encrypt hash codesender's private key | (f) Encrypt result of (e) |
Категории