21/11/2020

Network Security – Cryptography – Part 3

٣ ‫امنيت شبكه – رمزنگاري – بخش‬
Mohammad Sayad
University of Tehran

How hard is this course?

Course
Hardship

Lecture Notes
2 Sayad – University of Tehran

1
 21/11/2020

‫كد احراز اصالت پيام‬

Message Authentication Code (MAC)

Lecture Notes
3 Sayad – University of Tehran

Message Authentication Code (MAC)

MAC provides Authentication + Integrity

But not Confidentiality

It is sometimes called Message Integrity Code (MIC) to

differentiate it from Medium Access Control (MAC).

Lecture Notes
4 Sayad – University of Tehran

2
 21/11/2020

Message Authentication Code (MAC)

This technique assumes that
two communicating parties,
say A and B, share a common
secret key KAB.

When A has a message to

send to B, it calculates the
X
message authentication code
as a function of the message
and the key: MACM =F(KAB,M)
A B

Lecture Notes
5 Sayad – University of Tehran

Points ‫نكات‬

‫ با‬B ‫ گيرنده‬،‫ تنها دست فرستنده و گيرنده است‬KAB ‫از آنجا كه كليد‬
‫ مطمئن ميشود كه پيام از‬KAB ‫دريافت پيام و بازگشايي چكيده با كليد‬
‫ با رمزنگاري نامتقارن نيز چنين تضميني ايجاد‬.‫ ارسال شده است‬A ‫طرف‬
(Authentication) .‫ميشود‬

، B ‫ چون در طرف‬،‫اگر پيام در ميانه راه توسط كسي دستكاري شود‬

‫ گيرنده‬،‫ توليد شده پيام با ضميمه انتهاي آن همخواني ندارد‬MAC
‫ بنابراين امكان دست بردن در پيام‬.‫متوجه مخدوش بودن پيام خواهد شد‬
(Integrity) ‫وجود ندارد‬
Lecture Notes
6 Sayad – University of Tehran

3
 ‫‪21/11/2020‬‬

‫?‪What’s inside a MAC‬‬ ‫داخل ‪ MAC‬چه چيزي است‬

‫‪ ‬الگوريتم ‪ MAC‬شامل دو قسمت است‬

‫چون رمز کردن تمام‬
‫پيام هزینه بر است‬ ‫‪ -١‬محاسبه چكيده اي از پيام‬

‫‪ -٢‬ارسال چكيده با كليد يا رمزي كه گيرنده بتواند آنرا بازگشايي كند‪.‬‬

‫آيا ﻻزم است طوري ‪ MAC‬ساخته شود كه فقط گيرنده بتواند آنرا باز كند؟‬
‫چه اتفاقي مي افتد اگر همه بتوانند ‪ MAC‬را رمزگشايي كنند؟‬
‫‪ -‬پاسخ به اين سوال وابسته به اين است كه از رمز متقارن استفاده كنيم يا نامتقارن‬
‫‪Lecture Notes‬‬
‫‪7‬‬ ‫‪Sayad – University of Tehran‬‬

‫توابع چكيده ساز )در هم ريز( ‪Hash Functions‬‬

‫‪Lecture Notes‬‬
‫‪8‬‬ ‫‪Sayad – University of Tehran‬‬

‫‪4‬‬
 21/11/2020

Hash Functions (‫توابع چكيده ساز )در هم ريز‬

m H H(m)

‫ بدست آمده از پيام که اندازه ثابت‬Hash

‫پيام با هر اندازه ای‬
‫ بيت‬128 ‫ مثﻼ‬،‫دارد‬

... ،MD4 ،SHA-1: Hash ‫مثال الگوريتم هاي‬

‫ بنابراين يكطرفه هستند‬.‫ تابع كليد نيستند و هر متني را به طول ثابت فشرده ميكنند‬Hash ‫توابع‬
.‫ محاسبه معكوس اين توابع از نظر محاسباتي غير ممكن است‬.‫و پيام اصلي قابل بازيابي نيست‬

Lecture Notes
9 Sayad – University of Tehran

MD4("The quick brown fox jumps over the lazy dog") :‫مثال‬
= 1bee69a46ba811185c194762abaeae90
MD4("The quick brown fox jumps over the lazy cog")
= b86e130ce7028da59e672d56ad0113df

MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0

MD4 ("a") = bde52cb31de33e46245e05fbdbd6fb24
MD4 ("abc") = a448017aaf21d8525fc10ae87aa6729d
MD4 ("message digest") = d9130a8164549fe818874806e1c7014b
MD4 ("abcdefghijklmnopqrstuvwxyz")
= d79e1c308aa5bbcdeea8ed63df412da9
MD4
("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345678
9")
10 = 043f8582f241db351ce627e153e7f0e4 Lecture Notes
Sayad – University of Tehran

5
 21/11/2020

(Hash Function Properties) ‫خواص تابع چكيده ساز‬

1. H can be applied to a block of data of any size.

2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any given x
4. For any given code h, it is computationally infeasible to find x
such that H(x)=h.
(A hash function with this property is referred to as one-way or
preimage resistant)
‫یکطرفه بودن تابع چکيده ساز‬

Lecture Notes
11 Sayad – University of Tehran

(Hash Function Properties) ‫خواص تابع چكيده ساز‬

5. For any given block x, it is computationally infeasible to
find y≠x with H(y)=H(x).
(A hash function with this property is called second preimage
resistant. This is sometimes referred to as weak collision
resistant)

H(x)=H(y)
y

Lecture Notes
12 Sayad – University of Tehran

6
 21/11/2020

(Hash Function Properties) ‫خواص تابع چكيده ساز‬

6. It is computationally infeasible to find any pair (x, y) such
that H(x)=H(y).
(A hash function with this property is referred to as collision
resistant. This is sometimes referred to as strong collision
resistant)

H(x)=H(y)

Lecture Notes
13 Sayad – University of Tehran

Hash Function ‫ با استفاده از‬MAC ‫روشهاي ساخت‬

Lecture Notes
14 Sayad – University of Tehran

7
 21/11/2020

Hash Function ‫ با استفاده از‬MAC ‫روشهاي ساخت‬

Lecture Notes
15 Sayad – University of Tehran

Hash Function ‫ با استفاده از‬MAC ‫روشهاي ساخت‬

Secret value can be the key Lecture Notes

16 Sayad – University of Tehran

8
 21/11/2020

How to make a MAC using a block cipher

M1…Mn-1 are plain text pieces. K and K2 are encryption and

MAC keys, respectively. MSB(Tlen) takes a desired length
from output (from the most significant bit).
Lecture Notes
17 Sayad – University of Tehran

‫ معروف كدامند‬Hash ‫توابع‬

MD4 ،MD5
MD4 was proposed by Ronald Rivest in 1990. The digest
length is 128 bits. It was broken later but it influenced the
design of MD5 (RFC1321), SHA-1 and RIPEMD hashing
algorithms.

SHA-0 ،… ،SHA-3
SHA was developed by the National Institute of Standards
and Technology (NIST) and published as a federal
information processing standard (FIPS 180) in 1993. SHA
used MDx designs. Lecture Notes
18 Sayad – University of Tehran

9
 21/11/2020

SHA-512 ‫ساختمان‬

 Input is padded so that its

length is 896 (mod 1024)
 128 bits are added to the
end showing the message
length
 IV is a 512 bit fixed
initialization vector
 F function is defined in the
next slide

Lecture Notes
19 Sayad – University of Tehran

F Function in SHA-512
 Hi-1 is divided into 8 64-bit
registers a,b,c,d,e,f,g,h

 Kx s’ are constants set by

the designer

!‫ﻻزم به حفظ کردن نيست‬

Lecture Notes
20 Sayad – University of Tehran

10
 21/11/2020

Length Extension Attack (on SHA)

 You remember this? 
 Now imagine we use
SHA-2 512 in this setup.
S

The attacker has this

on the channel

+1 New VALID hash code of the

appended message Lecture Notes
21 Sayad – University of Tehran

General Structure - Merkle-Damgard

Message m padded to M, a multiple of a fixed-length block
M is divided into segments m1,m2, … mn
m1 m2 …… mn

IV F F F hash value
…

Merkle-Damgard, 1989
F is called the compression function
Takes inputs mi and output of previous iteration
Typically a series of rounds
Output called a “chaining variable”
Typically, a function operates on chaining variables then adds to mi Lecture Notes
22 Sayad – University of Tehran

11
 21/11/2020

SHA-3 – Competition
2004-2005 Wave of new cryptanalysis
٢٠٠٤ ‫ و‬٢٠٠٥ ‫موجي از حمﻼت جديد در سالهاي‬

Wang, Biham, Joux, Kelsey all published significant papers….

Cast doubt on existing hash standards and the traditional Merkle-
Damgård construction
2005, 2006 NIST Hash Function Workshops
‫ براي برگزاري مسابقه جديد طراحي‬NIST ‫تقاضاي صنعت و دانشگاه از‬

Industry and academia encouraged NIST to run a competition and

contribute to planning
2007 NIST organized SHA-3 competition
64 candidates submitted 31 Oct. 2008 Lecture Notes
23 (Quynh Dang & Tim Polk, NIST)Sayad – University of Tehran

SHA-3 Competition
Five Finalists identified late in 2010.
Blake, Grøstl, JH, Keccak, Skein
Final tweaks submitted January 2011.
Final Workshop held in March 2012 in Washington DC
The winner was Keccak algorithm

SHA3

Lecture Notes
24 Sayad – University of Tehran

12
 21/11/2020

SHA-3 – Sponge Construction

• Each round, the next r bits of message is XOR’ed into the first r bits of the state, and a
function f is applied to the state.
• After message is consumed, output r bits of each round as the hash output; continue
applying f to get new states
• SHA-3 uses 1600 bits for state size. Lecture Notes
25 Sayad – University of Tehran

Speed Comparisons

Algorithm Speed (MiByte/s.)

AES-128 / CTR 198
MD5 335
SHA-1 192
SHA-256 139
SHA-3 ~ SHA-256

Crypto++ 5.6 benchmarks, 2.2 GHz AMD Opteron 8354

NIST expects SHA-2 to be used for the foreseeable future.

Lecture Notes
26 ([Link]) Sayad – University of Tehran

13
 21/11/2020

HMAC ‫استاندارد‬

RFC 2104  SHA ‫ با استفاده از‬MAC ‫ ساخت يك‬: ‫ هدف‬

... ،SET ،TLS ، IP Security :‫ محل استفاده‬

MAC should be designed in a way that it both

has fixed length and is a function of the key.
‫ بايد به نحوي تابعي ساخته شود كه هم عمل چكيده سازي را‬MAC
.‫انجام دهد و هم تابع كليد باشد‬

Lecture Notes
27 Sayad – University of Tehran

HMAC ‫ساختمان‬

The second hash eliminates the

possibility of length extension, even
if a weak hash function is used.

Lecture Notes
28 Sayad – University of Tehran

14
 21/11/2020

Summary ‫خﻼﺻه‬
easy

m H H(m)

‫ بدست آمده از پيام که اندازه ثابت‬Hash

‫پيام با هر اندازه ای‬
‫ بيت‬128 ‫ مثﻼ‬،‫دارد‬

hard

Lecture Notes
29 Sayad – University of Tehran

Security of Hash Functions

 Two Attack Approaches:
 Cryptanalysis  Looking for a logical weakness
 Brute Force  Exhaustive searching

 The strength of a hash function against brute-

force attacks depends solely on n. The level of
effort in each case is:

Birthday
Paradox
Lecture Notes
30 Sayad – University of Tehran

15
 21/11/2020

Birthday Paradox
 If there are n people in a room, how much is the probability
that at least 2 of them have the same birthday? (collision)

For 23 people: p(23)=50.7% !

Lecture Notes
31 Sayad – University of Tehran

Hash/MAC ‫پايان‬

Lecture Notes
32 Sayad – University of Tehran

16