Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Transcription

1 Lecture 8 Message Authentication COSC-260 Codes and Ciphers Adam O Neill Adapted from

2 Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers and hash functions.

3 Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers and hash functions. Today we study our second higher-level primitive, message authentication codes.

4 Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers and hash functions. Today we study our second higher-level primitive, message authentication codes. Note that authenticity of data is arguably even more important than privacy.

5 Setting and Goals 0*0=05. Alice Integrity lavthenticity of data. VM * m is not modified Eve by Eve * Alice really sent on. / ^

6 Example: Electronic Banking Like.de#ngtbdI**isaY A { are a Eve could try to change $100 to $1000 or charge Bob to Eve.

7 Syntax and Usage n AmessageauthenticationcodeT :Keys D R is a family of functions. The envisaged usage is shown below, where A is the adversary: of m tag upon teaeiry, Keys K (,t1 accept on under key iff of = t.sk#jig affiliates Bob on

8 vhforgeasility under alhosen message attack UF-CMA Let T : Keys D R be a message authentication code. Let A be an adversary. Game UFCMA T procedure Initialize K $ Keys ; S procedure Tag(M) T ot K (M); S S {M} return T procedure Finalize(M, T ) If M S then return false If M D then return false Return (T = T K (M)) The uf-cma advantage of adversary A is ] Adv uf-cma T (A) = Pr [UFCMA A T true.

9 Lower-Bound on Tag Length Consider an adversary which simply guesses a tag at random. Adversary t $R A ret ( mit ) for some arbitrary.me/).adruytanaca1=prtufcmaf=71t => for n - bit 1 security we need Iog k/2n.

10 .. Basic CBC-MAC g Cipher - block Chaining Let E : {0, 1} k B B be a blockcipher, where B = {0, 1} n.viewa message M B as a sequence of n-bit blocks, M = M[1]...M[m]. The basic CBC MAC T : {0, 1} k B B is defined by Alg T K (M) C[0] 0 n for i =1,...,m do C[i] E K (C[i 1] M[i]) A Adversary return C[m] MFD ma ] T, Tag( MID) o % t Ti Tzttagcoy cm##.) IFHE f gy - not taend k.

11 Splicing Attack See pneniovs slide in

12 Replay Attacks Refers to a real-life adversary being able to capture and re-transmit a message and tag.

13 Replay Attacks Refers to a real-life adversary being able to capture and re-transmit a message and tag. Not captured by UF-CMA.

14 Replay Attacks Refers to a real-life adversary being able to capture and re-transmit a message and tag. Not captured by UF-CMA. Best dealt with as an add-on to standard message authentication.

15 Using Timestamps Let Time A be the time as per Alice s local clock and Time B the time as per Bob s local clock. Alice sends (M, T K (M), Time A ) Bob receives (M, T, Time) andacceptsiff T = T K (M) and Time B Time where is a small threshold. Does this work? the problem is that Time is not authenticated! Alice should send ( M, Tk ( Mlkineaftinea )

16 Using Counters Alice maintains a counter ctr A and Bob maintains a counter ctr B.Initially both are zero. Alice sends (M, T K (M ctr A )) and then increments ctr A Bob receives (M, T ). If T K (M ctr B )=T then Bob accepts and increments ctr B.

17 - random pseudo function message - \ authentication PRF-as-a-MAC Code. If F is PRF-secure then it is also UF-CMA-secure: Theorem [GGM86,BKR96]: Let F : {0, 1} k D {0, 1} n be a family of functions. Let A be a uf-cma adversary making q Tag queries and having running time t. Then there is a prf-adversary B such that Adv uf-cma F (A) Adv prf F (B)+ 2 2 n. Adversary B makes q + 1 queries to its Fn oracle and has running time t plus some overhead.

18 Proof Intuition Think of eihangin, the OF - CMA game use a truly random function instead of to the PRF. Notice that the adversary 's advantage can't change much when this above change is made, else we Could build a distinguisher against the PRF. Adversary A B Run when A makes a Tag query Fncx ) Return Until A halls with output (,t) M If Fn ( m )=t ret I Else Not

19 PRF Domain Extension We have blockciphers that are good PRFs but are fixed-input-length (FIL).

20 PRF Domain Extension We have blockciphers that are good PRFs but are fixed-input-length (FIL). Want a MAC that is variable-input-length (VIL).

21 PRF Domain Extension We have blockciphers that are good PRFs but are fixed-input-length (FIL). Want a MAC that is variable-input-length (VIL). By prior result this reduces to building a VIL- PRF from a FIL-PRF (aka. PRF domain extension).

22 yen ECBC-MAC Let E : {0, 1} k B B be a block cipher, where B = {0, 1} n.the encrypted CBC (ECBC) MAC T : {0, 1} 2k B B is defind by crypt M[1] M[2] M[m 1] M[m] Alg T Kin K out (M) C[0] 0 n for i =1,...,m do C[i] E Kin (C[i 1] M[i]) T E Kout (C[m]) return T E Kin E Kin E Kin E Kin E Kout T Kin K out (M) Ee w

23 Birthday Attacks Iden : Query Fu of on a sequence messages M,,..., Mq and See if 1- block any of the outputs collide. Adversary Aq For it to q )) 'M Yitec animal aid 1- #CGie If st. Y fyq) Fiiijz ;,=Y ;, = ( net 0 then.si#ek:.eienai*?p

24 Theorem Theorem: Let E : {0, 1} k B B be a family of functions, where B = {0, 1} n.definef : {0, 1} 2k B {0, 1} n by Alg F Kin K out (M) C[0] 0 n for i =1,...,m do C[i] E Kin (C[i 1] M[i]) T E Kout (C[m]); return T Let A be a prf-adversary against F that makes at most q oracle queries, these totalling at most σ blocks, and has running time t. Then there is a prf-adversary B against E such that Adv prf F (A) Advprf E (B)+σ2 2 n and B makes at most σ oracle queries and has running time about t. e. 9,AES. with -128 Can MAC messages with total block length up to 264.

25 Proof Intuition

26 Implications The number q of m-block messages that can be safely authenticated is about 2 n/2 /m, where n is the block-length of the blockcipher, or the length of the chaining input of the compression function. MAC n m q DES-ECBC-MAC AES-ECBC-MAC AES-ECBC-MAC HMAC-SHA HMAC-SHA m =10 6 means message length 16Mbytes when n =128.

27 MACing with Hash Function The software speed of hash functions (MD5, SHA1) lead people in 1990s to ask whether they could be used to MAC. But such cryptographic hash functions are keyless. Question: How do we key hash functions to get MACs? Proposal: Let H : D {0, 1} n represent the hash function and set GSHAI T K (M) =H(K M) Is this UF-CMA / PRF secure? No in the case that hash function is constructed Via the MD paradigm.

28 Length-Extension Attack M ' 1 14 HKKMHMYµ Tttagcm o a iei±* ## { function mapping impression to h bits can compile compression ntb bits function! MHTFHHAMHDHM Adversary A net ( it ' ) T ) y h( HIM ' ) ' a(y11k1@lm'hb) ' )

29 HMAC [BCK 96] t t the case for other SHAI, Suppose H : D {0, 1} 160 is the hash function. HMAC has a 160-bit key K. Let K o =opad K and K i =ipad K where opad = 5D and ipad = 36 in HEX. Then #0 08 :{ HMAC K (M) =H(K o H(K i M)) 11 K i M '5#YD Hnacdm) H K o X H HMAC K (M) ko Killm) TKDIHCKIHM ) ]b use hash can function green,

30 Security Results Theorem: yinttdpa [BCK96] HMAC is a secure PRF assuming The compression function is a PRF The hash function is collision-resistant (CR) But recent attacks show MD5 is not CR and SHA1 may not be either. So are HMAC-MD5 and HMAC-SHA1 secure? No attacks so far, but Proof becomes vacuous! Theorem: [Be06] HMAC is a secure PRF assuming only The compression function is a PRF Current attacks do not contradict this assumption. This new result may explain why HMAC-MD5 - is standing even though MD5 is broken with regard to collision resistance.

31 Recommendations Don t use HMAC-MD5.

32 Recommendations Don t use HMAC-MD5. No immediate need to remove HMAC-SHA1.

33 Recommendations Don t use HMAC-MD5. No immediate need to remove HMAC-SHA1. But for new applications best to use HMAC- SHA2-d (for d = 256,512) or HMAC-SHA3.

34 Carter-Wegman MACs