Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell

Transcription

1 Message Autheticatio Codes Readig: Chapter 4 of Katz & Lidell 1

2 Message autheticatio Bob receives a message m from Alice, he wats to ow (Data origi autheticatio) whether the message was really set by Alice. (Data itegrity) whether the message has bee modified. Two solutios: Alice attaches a message autheticatio code (MAC) to the message (usig a symmetric ey to compute the MAC). Or she attaches a sigature to the message (usig a asymmetric ey to compute the sigature). 2

3 Basic idea of MAC Message autheticatio protocol: 1. Alice ad Bob share a secret ey. 2. To sed a message m, Alice computes a tag t : MAC ( m) ad seds m, t to Bob. 3. O receivig m, t, Bob checs whether t MAC ( m). If so, he accepts the message; otherwise, he rejects it. The tag t is called a message autheticatio code (MAC). Security requiremet: computatioally ifeasible to forge a valid pair ( x, MAC ( x)) without owig the ey. 3

4 MAC Scheme (formal defiitio) A MAC scheme is a triple ( Ge, Mac, Vrfy): Key geeratio algorithm: O iput 1, outputs a ey {0,1}. u Tag geeratio algorithm Mac : O iput a ey ad a message mm, Mac outputs a tag t. We write t Mac ( m). l( ) * ( M is the message space. Assume M {0,1} or M {0,1}.) Verificatio algorithm Vrfy : O iput a ey, a message m, ad a tag t, algorithm Vrfy outputs 1 (meaig valid) or 0 ( ivalid). Vrfy ( m, t) 0 or 1. Ge, Mac are probabilistic algorithms. Vrfy is determiistic. Correctess requiremet: for every K ad m M, Vrfy m, Mac ( m) 1. 4

5 Caoical verificatio (used whe Mac is determiistic): Vrfy ( m, t) 1 if Mac ( m) t 0 otherwise l( ) If M {0,1}, the scheme is said to a fixed-le gth MAC scheme for messages of legth l ( ). Fixed-legth MAC schemes are easier to costruct. be Geeral MAC schemes for fixed-legth schemes. M * {0,1} ca be costructed from 5

6 Chose-Message Attacs o MAC Schemes Experimet MAC-Forge ( ): A, 1. A ey G(1 ) is geerated. 2. The adversary A is give iput 1 ad oracle access to Mac ( ). A may as the oracle to compute tags for messages of its choice. Let Q be the set of all queries Ahas made to the oracle. 3. A evetually outputs a pair ( m, t). ( A tries to for ge a valid pair of message ad tag. ) 4. MAC-Forge A, ( ) 1 ( A succeeds) if m Q ad Vrfy ( m, t) 1. Remars: Adversary: a adaptive chose-message attacer. Forgery: a existetia l forgery. 6

7 MAC security: existetial uforgeability uder a adaptive chose-message attac Defiitio: A MAC scheme ( Ge, Mac, Vrfy) is existetially uforgeable uder a adaptive chose-message attac (or simply secure) if for all polyomial-time adversaries A, there exists a egligible fuctio egl or such that where the Pr MAC-Forge A, ( ) 1 egl( ) output of A, ( m, t), satisfies m Q. Mac ( ) Pr Vrfy A 1 1: u {0,1} egl( ) 7

8 Strog MAC security If a MAC scheme is secure, the probability is egligible that A ca forge a valid ( m, t) with mq. However, it may be possible for A to forge a d ifferet valid tag t t for some message mq, where t is the tag retured by the oracle o m. If o adversary is able to do so, the MAC scheme is strogly secure. To formally defie strog security, modify the experimet as follows: Let Q ( m, t) : mq, t is the tag retured by the oracle o m. A succeeds if a oly if it outputs a valid pair ( m, t) Q. If MAC is determiistic, the "secure" "strogly secure". 8

9 Costructig secure MAC schemes Let F be a pseudoradom fuctio. We will use F to costruct secure MAC schemes i several steps. Secure fixed-leg th MAC schemes for messages of legt h Secure fixed-legth MAC schemes for messages of legth q( ) Secure MAC schemes for arbitrary-legth messages For simplicity, assume message legth is a multiple of. (We ca always do paddig to mae this assumptio true.) 9

10 Secure MAC schemes for M {0,1} Let F be a pseudoradom fuctio. Fixed-legth MAC scheme for messages of legth : Key geeratio: O iput 1, {0,1}. Tag geeratio: O iput {0,1} ad message m{0,1}, output the tag t : F ( m). 1 if F ( m) t Verificatio: O iput ( m, t), Vrfy ( m, t) : 0 otherwise u Theorem: Such a MAC scheme is secure. 10

11 Basic CBC-MAC Let F be a pseudoradom fuctio. Basic CBC-MAC wors as follows: Key geeratio: {0,1}. u q Tag geeratio: For ey {0,1} ad message m{0,1}, parse m as m ( m,, m ) // q( ) blocs // 1 apply CBC to m with IV 0, i.e., let output t : 0 ad t : F ( m t ) for 1 i q 0 i i i1 t q as the tag Verificatio: caoical q Theorem: For ay fixed fuctio q ( ), basic CBC-MAC is secure for messages of legth q( ). 11

12 Remars It is importat that t ( IV ) is fixed, or the scheme would be isecure. 0 Also, the scheme would be isecure if message legth is variable. Suppose 4 t : Mac ( m m m ) ad t: Mac ( m ). Let m be such that t m m The Mac ( m m m m ) t IV 0 m F 4 t 12

13 CBC-MAC for arbitrary-legth messages A FIPS ad ISO stadard. There are several variats of CBC-MAC. Oe variat of CBC-MAC: Preped the message m with its legth m (as a -bit strig) ad the compute basic CBC-MAC o the result. Remars: There is a limitatio o m. It would be isecure if m is appeded to the ed of m. 13

14 14

15 Aother variat of CBC-MAC Geerate two eys, {0,1}. 1 2 To autheticate a message m, let the tag be u t : F basic-cbc-mac ( m). 2 1 Oe may use oly oe ey ad geerate 1 2 : F (1) ad : F (2) 1 2, from : 15

16 Security of CBC-MAC (for arbitrary legth) Theorem: CBC-MAC is secure if F is a pseudoradom fuctio. I practice, bloc ciphers (such as DES, AES) are used. 16

17 Autheticated Ecryptio To esure both secrecy ad itegrity 17

18 Uforgeable ecryptio Experimet Ec-Forge ( ) : A, Ru Ge(1 ) to obtai a ey. The adversary A is give 1 ad access to oracle Ec ( ), ad outputs a ciphertext c. Let m : Dec ( c). Let Q be the set of all messages that A has ased the oracle for ecryptio. The output of the experimet is 1 ( A succeeds) if ad oly if m is a valid message ( m M ) ad mq. Defiitio: A ecryptio scheme ( Ge, Ec, Dec) is if for every A, Pr Ec-Forge A, ( ) 1 egl( ). uforgeable 18

19 Autheticated ecryptio scheme Defiitio: A symmetric-ey ecryptio scheme is a autheticated ecryptio scheme if it is CCA-secure ad uforgeable. We will costruct a autheticated ecryptio scheme from a CPA-secure ecryptio scheme ad a strogly secure MAC scheme. Three atural ways: Ecrypt ad autheticate (isecure) Autheticate the ecrypt (isecure) Ecrypt the autheticate (secure) I the followig slides, let m be a message, a ecryptio ey, ad M a MAC ey. E 19

20 Ecrypt ad Autheticate Seder: ecrypt ad autheticate m the ciphertext is ct, where idepedetly. That is, c Ec ( m), t Mac ( m) E M Receiver: give ciphertext ct,, do m Dec ( c), ad the chec if Vrfy ( m, t) 1. E M Security: Not ecessarily EAV-secure, sice t might lea ifo about m. If Mac is determiistic (e.g., CBC-MAC), the the scheme is ot CPA-secure. 20

21 Autheticate the Ecrypt Seder: autheticate m first ad the ecrypt m ad the tag. Thus, the ciphertext is c computed as: t Mac ( m), c Ec ( m t) M E Receiver: give ciphertext c, do m t Dec ( c) ad the chec if Vrfy ( m, t) 1. E M A potetial attac: Suppose PKCS#5 paddig is used. Suppose the receiver does: if the paddig is icorrect the retur a "bad paddig" error elseif the tag is icorrect the retur a "bad mac" error. The paddig attac ca be coducted to recover the etire m t. 21

22 Ecrypt the Autheticate Seder: ecrypt m first ad the autheticate the result. Thus, the ciphertext is c, t where c Ec ( m), t Mac ( c) E M Receiver: o receivig c, t, if Vrfy ( c, t) 1 the m Dec ( c). M E Theorem: If the ecryptio scheme is CPA-secure ad the MAC scheme is strogly secure, the the ecryptio-the-autheticate costructio yields a autheticated ecryptio scheme. CPA-secure ecryptio + strogly secure MAC CCA-secure ad uforgeable ecryptio 22