Cryptography - Message Integrity Flashcards
Define message integrity
Ensures a message has not been altered
3 ways of performing message integrity
parity bits
- adds extra bit to the data that indicates if the number of 1 bits is odd or even
cyclical redundancy checks (CRC’s)
- Uses polynomial division to determine CRC value, usually 16 or 32 bits long. CRC value will not match up if a single bit is incorrect
checksum
- Adds up the bytes of data being sent and transmits that number to be checked later using the same method. Source and receiving checksums are determined and compared
Hash Functions
One way hash - to be effective, creating two messages with the same hash value must be mathematically impossible (collision free)
hashing algorithm is publicly known
function always performed in one direction
Using it in reverse is unnecessary
Attacker could alter original message if captured to create a second invalid message with a new hash value. Invalid message looks valid because it was appended with attacker’s new hash value, not original message’s hash value
Use Message Authentication Code (MAC)
- encrypting the hash function with a symmetric key algorithm creates a keyed MAC
-Symmetric key doesn’t encrypt original message. Only used to protect the hash value
Types of hash functions
MD (Message Digest algorithms)
MD2 Produces 128 bit hash value, performs 18 rounds of computations
MD4 Produces 128 bit hash value, performs 3 rounds of computations. Faster than MD2 but was successfully attacked
MD5 Produces 128 bit hash value, performs 4 rounds of computations.
More complex than MD4
Not collision free, shouldn’t be used for SSL certificates or digital signatures
US Govt requires SHA-2 instead of MD5
MD6 Produces variable hash value, performs variable rounds of computations
Introduced as candidate for SHA-3 but withdrawn because of early issues with differential attacks
Re-Released with the issue fixed but too late to be accepted for NIST SHA-3 standard
Secure Hash Algorithm (SHA)
Family of four algorithms published by US NIST
SHA-0 produces 160 bit hash value after performing 80 rounds of computations on 512 bit blocks
SHA-1 produces 160 bit hash value after performing 80 rounds of computations on 512 bit blocks. Corrected flaw in SHA-0 that made it susceptible to attacks
SHA-2 is a family of hash functions each of which provides different functional limits
SHA-2 Family
Each number is the bits of hash value SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256
SHA-3 Family
Like SHA-2, will be a family of hash functions
HAVAL
produces variable length hash values. Collisions were discovered
RIPEMD-160
Produces 160 bit hash value after performing 160 rounds of computations on 512 bit blocks
Tiger
Produces 128, 160 or 192 bit hash values after performing 24 rounds of computations on 512 bit blocks.
Unlike MD5, RIPEMD, SHA-0 or SHA-1, Tiger is not built on the MD4 architecture
Message Authentication Code (MAC)
Hash MAC (HMAC)
Hash MAC is a keyed-hash MAC using hash function with symmetric key
Provides data integrity and authentication
Any hash functions can be used with HMAC with the HMAC name being appended with the hash function name, ie. HMAC-SHA-1
Strength depends on strength of hash function include hash value size and the key size
Message Authentication Code (MAC)
Cipher block chaining MAC (CBC-MAC)
CBC-MAC is a block cipher MAC that operates in CBC mode
Provides data integrity and authentication
Message Authentication Code (MAC)
Cipher-based MAC (CMAC
CMAC operates same as CBC-MAC but with much better mathematical functions
Addresses some security issues with CBC-MAC
Approved to work with AES, 3DES
Digital Signatures
Hash value encrypted with sender’s private key
Provides authentication, nonrepudiation, integrity
PKI used to create digital signatures
Users register their public keys with a CA, which distributes a certificate containing user’s public key and the CA’s digital signature
Digital Signature is computed by user’s public key and validity period combined with certificate issuer and digital signature algorithm identifier
Blind Signature
form of digital signature where contents of message are masked before it’s signed