Hash Functions
Hash functions, or algorithms, are used for detecting unauthorized modifications to data. They serve as a type of watermark or digital signature that can be applied to data.
A popular example of a hash function is a one-way hash, in which a sending entity takes any arbitrary data, runs it through the hash function, and produces a fixedlength value called the hash. The resulting hash value is appended to the data and sent to the receiving entity. The receiver gets the data with the appended hash, runs the same hashing function on the data component, and compares the result with the hash value that was sent with the original data. If the two values are different, the receiver can conclude that the data may have been altered along the way. But if the two values are the same, the receiver can reasonably conclude that the integrity of the data has been preserved. The one-way hash function does not use any keys and is not used for encryption in any way.
Note The process of applying the hash function is sometimes called digesting, and the result is sometimes called a message digest.
Message authentication is a method used in cryptosystems for verifying the authenticity and integrity of data. The integrity aspects of message authentication are concerned with making sure that data is not modified or altered in any way before reaching its intended recipient. And the authenticity aspect is concerned with making sure that the data originates from the entity that receiver is expecting it to originate from. It is also referred to as message integrity code and message authentication code. Currently two approaches are used to ensure integrity and authenticity: Hash-based Message Authentication Code (HMAC) and Cipher Block Chaining Message Authentication Code (CBC-MAC).
HMAC HMAC combines the process of hash functions with a Message Authentication Code function of some sort. One key difference between plain hash functions and the HMAC function is the use of a secret key. The key type used here is symmetric. The HMAC process works like this:
- The sender and the receiver entities agree on a secret key to be used.
- The sender decides to transmit some arbitrary data to a receiver. But the sender wants to make sure that data is received intact at the other end and wants to provide some guarantee to the receiver that the sender actually sent the data.
- The sender appends the agreed upon secret key to the data to be sent.
- The result is passed through a hash function. The new hash value is the message authentication code.
- The message authentication code is appended to the original data (plain-text) and sent to the receiver.
- The next steps are carried out at the receiver end.
- The receiver receives the data with the appended message authentication code.
- The receiver appends the shared secret key to the data. The result is run through a hash function again. The hash value is the receiver's version of the message authentication code.
- The receiver compares his/her value of the message authentication code with the value that was received with the message from the sender.
- If the computed value is the same as the received value, the data can be assumed to have passed the integrity and authentication test.
- If the computed value is different from the received value, it can be assumed that the data was tampered with along the way.
Note that nowhere in the process is the data encrypted. Encryption or confidentiality is not a function of HMAC.
CBC-MAC CBC-MAC is a combination of the CBC mode used in block ciphers and a message authentication code of some sort.
CBC-MAC works in a simple but elegant way, described as follows:
- The sender and the receiver entities agree on a secret key to be used.
- The sender decides to transmit some arbitrary data to a receiver. But the sender wants to make sure that data is received intact at the other end and also wants to provide some guarantee to the receiver that the sender actually sent the data.
- The sender encrypts the arbitrary plain-text data using the CBC symmetric block cipher mode of operation. The encryption will be done on blocks of the plain-text and will result in corresponding blocks of cipher-text.
- The output of the final block of cipher-text is used as the message authentication code, which is appended to the plain-text data.
- The sender sends the plain-text and message authentication code combination to the receiver.
- The next steps are carried out at the receiver end.
- The receiver encrypts the plain-text data with the shared secret key. The encryption is performed with the CBC symmetric block cipher again, resulting in blocks of cipher-text.
- The last block of cipher-text is used as the receiver-generated message authentication code value.
- The receiver compares the message authentication code value with the value that was received with the message from the sender.
- If the computed value is the same as the received value, the data can be assumed to have passed the integrity and authentication test.
- If the computed value is different from the received value, it can be assumed that the data was tampered with along the way.
Note that nowhere in the process is the hashing algorithm performed. This is the key distinguishing factor between HMAC and CBC-MAC. You should also note that the whole point of the CBC-MAC process is not to hide the plain-text data.
In this tutorial:
- Securing Wireless Networks
- Security Background
- Security Services
- Cryptographic Concepts and Terms
- Encryption and Decryption
- Keyspace
- Exclusive OR (XOR)
- Algorithm
- Asymmetric Encryption Algorithms
- Public-Private Key Cryptography
- Cipher
- Concealment Ciphers vs. Running Key Ciphers
- Stream Ciphers vs. Block Ciphers
- Cipher Examples
- Cipher Implementations
- Wi-Fi Protected Access
- TKIP/WPA
- Wi-Fi Protected Access 2 (WPA2)
- CCMP/AES
- Hash Functions
- EAP
- EAP Entities
- EAP Grammar
- EAP Types
- EAP-TTLS
- EAP-PSK
- EAP-SIM
- EAP-AKA
- IEEE 802.11i
- Four-Way Handshake
- IEEE 802.11i Considerations