Symmetric Crypto MAC. Pierre-Alain Fouque

Similar documents
COMP4109 : Applied Cryptography

Data Integrity & Authentication. Message Authentication Codes (MACs)

CS408 Cryptography & Internet Security

ECE 646 Lecture 8. Modes of operation of block ciphers

Lecture 1 Applied Cryptography (Part 1)

Message authentication codes

Data Integrity & Authentication. Message Authentication Codes (MACs)

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Cryptographic hash functions and MACs

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

CS155. Cryptography Overview

Introduction to Cryptography. Lecture 6

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Security Requirements

Symmetric Encryption 2: Integrity

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Authenticated Encryption

Data Integrity. Modified by: Dr. Ramzi Saifan

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Multiple forgery attacks against Message Authentication Codes

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CS155. Cryptography Overview

symmetric cryptography s642 computer security adam everspaugh

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Lecture 4: Cryptography III; Security. Course Administration

CSCE 715: Network Systems Security

Summary on Crypto Primitives and Protocols

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Lecture 4: Authentication and Hashing

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Feedback Week 4 - Problem Set

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

CIS 4360 Secure Computer Systems Symmetric Cryptography

Symmetric-Key Cryptography

History of message integrity techniques

UNIT - IV Cryptographic Hash Function 31.1

IDEA, RC5. Modes of operation of block ciphers

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Scanned by CamScanner

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Appendix A: Introduction to cryptographic algorithms and protocols

Cryptography Overview

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Integrity of messages

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptography Overview

Public-key Cryptography: Theory and Practice

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

Ref:

Authenticated Encryption

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

The OCB Authenticated-Encryption Algorithm

Cryptography. Andreas Hülsing. 6 September 2016

Solutions to exam in Cryptography December 17, 2013

1 Defining Message authentication

CS 495 Cryptography Lecture 6

Concrete cryptographic security in F*

Authenticated encryption

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Spring 2010: CS419 Computer Security

CSC574: Computer & Network Security

Lecture 10. Data Integrity: Message Authentication Schemes. Shouhuai Xu CS4363 Cryptography Spring

Symmetric Cryptography

symmetric cryptography s642 computer security adam everspaugh

Permutation-based Authenticated Encryption

Course Administration

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 9 Authenticated Encryption

S. Erfani, ECE Dept., University of Windsor Network Security

Hash functions & MACs

CIS 4360 Secure Computer Systems Applied Cryptography

Cryptographic Hash Functions

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Introduction to Symmetric Cryptography

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Message Authentication ( 消息认证 )

: Practical Cryptographic Systems March 25, Midterm

CPSC 467: Cryptography and Computer Security

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Misuse-resistant crypto for JOSE/JWT

Message Authentication Codes and Cryptographic Hash Functions

CS 161 Computer Security

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

P2_L8 - Hashes Page 1

The JAMBU Lightweight Authentication Encryption Mode (v2)

Unit 8 Review. Secure your network! CS144, Stanford University

Computer Security: Principles and Practice

Lecture 3: Public-Key Cryptography

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Cryptographic Checksums

Transcription:

Symmetric Crypto MAC Pierre-Alain Fouque

Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However, no integrity is guaranteed. (CBC first block) Alice C 1 C 1 Bank M 1 = «$200 on Bob s account» C 1 = (ctr) M 1 Eve M 1 = «$2000 on Eve s account» C 1 = C 1 M 1 M 1

Definition of Message Authentication Code Key generation: randomized alg. output: key uniformly distributed Tag MAC generation: randomized or deterministic input: M {0,1} * output: tag τ {0,1}t : τ = M K ( M ) Verification: deterministic alg. input: tag τ {0,1} t and message M output: bit if the tag is valid for this message s.t. for any K and message M, if τ = M K ( M ), then V K (τ, M ) = 1

Security game Adversary s goals: 1. key recovery attacks 2. forgery: producing a valid MAC for some message M (of his choice, or any) Adversary s ressources: 1. known message attack: interception of MACs. Adv. knows pair (M, τ) of already tagged messages 2. chosen message attack: Adv. knows the tag of message of his choice (access to a MAC generation alg. adaptively or not)

Security game Def: Combining an adversary s goal and some ressources SUF-CMA: strongly inforgeability against chosen message attacks Challenger M i τ i (M, τ) 1 : valid tag Adversary A Adv ( A ) = Pr ( Expérience retourne 1)

Generic Security 1. For a t-bit MAC, advantage (forgery probability) is always at least 1/2 t 2. Among 2 t/2 MACs, by the birthday paradox, there is a collision between two of them: these collisions can be used to recover the keys...

MAC vs. Signature Signatures: used for vertifying public keys, guarantee non-repudiation, same properties than hand-written signature MACs: very good performences, secret-key shared between two users no non-repudiation, no public verification

First construction Let F : {0,1} k {0,1} * {0,1} t a random function (i.e. outputs are indistinguishable from random values) MAC construction: For message M = M 1 M m, τ = F K ( M 1 ) F K ( M m ) Is this scheme secure?

Second Example Let F : {0,1} k {0,1} * {0,1} t random function For message M = M 1 M m For i = 1 to m, y i = F K ( <i>, M i ) τ = y 1 y m Is this scheme secure?

unencrypted CBC-MAC C i = (M i C i-1 ) MAC = C m Secure only for constant length messages M 1 M 2 M m C 1 C 2 Mac = C m

Security CBC-MAC Let 2 arbitrary messages M and M M 1 M 2 M 3 MAC(M) is C 3 = Mac C 1 C 2 Mac = C 3 M 1 M 2 MAC(M ) is C 2 = Mac C 1 Mac = C 2

unencrypted CBC-MAC Given MACs of M and M, it is possible to forge MAC of another message M 1 M 2 M 3 M 1 Mac M 2 C 1 C 2 C 3 C 1 Mac =C 2 Recovering the secret key is in 2 k MAC computation where k is the bit length of the used key (exhaustive search)

No IV in CBC-MAC The integrity of the first block is not ensured if an IV is used IV M 1 M 2 M 1 IV IV IV M 2 C 1 Mac = C 2 C 1 Mac = C 2 ( M, IV, Mac ) ( M, IV, Mac ) 20

Encrypted CBC-MAC (EMAC) C i = (M i C i-1 ) and MAC = (C m ) Secure if less than 2 n/2 MACs are computed M 1 M 2 M m C 1 C 2 C m Mac = C m+1

Security Analysis Assume 2 n/2 MACs computed: ( M i, τ i ), 0 i 2 n/2 and M i M j Using Birthday Paradox, there exists i,j s.t. i j and τ i = τ j Ask MAC τ of M i R, where R is a random block Claim: One can forge MAC for message M j R : τ

Hash-based MAC Consider the following MAC scheme: MAC K ( M ) = H ( K M ) Is it secure?

HMAC HMAC K ( M ) = H(K opad, H( K ipad, M )) where ipad and opad are constant values:

Encryption and Authentication IPSEC: MAC-Then-Encrypt SSL/TLS: Encrypt-Then-MAC SSH: MAC-And-Encrypt

Mac-And-Encrypt Non-secure mode of operation Confidentiality is not guaranteed Plaintext MAC contains information on the plaintext MAC Encryption MAC ciphertext

MAC-then-Encrypt Non-always secure but it could be In practice, one can construct secure scheme Plaintext MAC τ Encryption authenticated ciphertext

CCM: Mac-then-encrypt CCM proposed by Housley, Whiting and Ferguson Wifi network NIST in 2003, operation mode for AES CBC-MAC then CTR associated data security proof

CCM mode B[0] M[1] M[i-1] M[i] M[m] τ ctr ctr+1 ctr+i ctr+m τ M[1] M[i] M[m] C[0] C[1] C[i] C[m]

Encrypt-then-MAC Secure if the encryption mode is secure and if the MAC is secure Plaintext Encryption ciphertext MAC τ authenticated encryption

Encrypt-then-MAC IV M[1] M[i-1] M[i] M[m] C[0] C[1] C[i-1] C[i] C[m] τ

One-pass Mode Message is treated once: More efficient : near as efficient as one encryption One key Examples : IAPM, IACBC, OCB,

IACBC mode r M[1] M[m -1] Checksum S 1 S m-1 S m C[0] C[1] C[m -1] C[m]

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback