Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Similar documents
Symmetric Crypto MAC. Pierre-Alain Fouque

Introduction to Cryptography. Lecture 6

Data Integrity & Authentication. Message Authentication Codes (MACs)

Lecture 4: Authentication and Hashing

Data Integrity & Authentication. Message Authentication Codes (MACs)

Symmetric Encryption 2: Integrity

1 Defining Message authentication

symmetric cryptography s642 computer security adam everspaugh

CS408 Cryptography & Internet Security

Lecture 1: Course Introduction

Message authentication codes

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Data Integrity. Modified by: Dr. Ramzi Saifan

COMP4109 : Applied Cryptography

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Cryptographic hash functions and MACs

Integrity of messages

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Chapter 11 Message Integrity and Message Authentication

Multiple forgery attacks against Message Authentication Codes

Concrete cryptographic security in F*

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Lecture 9 Authenticated Encryption

CS155. Cryptography Overview

Cryptographic Hash Functions

An Efficient MAC for Short Messages

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Lecture 1 Applied Cryptography (Part 1)

Cryptology complementary. Symmetric modes of operation

Lecture 8 - Message Authentication Codes

symmetric cryptography s642 computer security adam everspaugh

Lecture 10. Data Integrity: Message Authentication Schemes. Shouhuai Xu CS4363 Cryptography Spring

CSE 127: Computer Security Cryptography. Kirill Levchenko

CS 495 Cryptography Lecture 6

Cryptographic Checksums

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Unit 8 Review. Secure your network! CS144, Stanford University

CSCE 715: Network Systems Security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Overview of Cryptography

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Course Administration

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Symmetric Cryptography

CS 161 Computer Security

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Permutation-based Authenticated Encryption

Feedback Week 4 - Problem Set

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

P2_L8 - Hashes Page 1

CSC 5930/9010 Modern Cryptography: Digital Signatures

Lecture 4: Hashes and Message Digests,

Message Authentication Codes and Cryptographic Hash Functions

Generic collision attacks on hash-functions and HMAC

CSC574: Computer & Network Security

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

Cryptography Overview

UNIT - IV Cryptographic Hash Function 31.1

Refresher: Applied Cryptography

Cryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Authenticated Encryption

CIS 4360 Secure Computer Systems Symmetric Cryptography

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

CS155. Cryptography Overview

Lecture 8: Cryptography in the presence of local/public randomness

Permutation-based symmetric cryptography

Cryptography (cont.)

Summary on Crypto Primitives and Protocols

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

SSH Algorithms for Common Criteria Certification

Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Homework 3: Solution

The MD6 Hash Function (aka Pumpkin Hash ) Ronald L. Rivest MIT CSAIL CRYPTO 2008

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

ENEE 459-C Computer Security. Message authentication

Security Analysis of Extended Sponge Functions. Thomas Peyrin

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptographic Hash Functions

Authenticated Encryption in TLS

Lecture 4: Cryptography III; Security. Course Administration

The Rectangle Attack

Goals of Modern Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Information Security CS526

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Solutions to exam in Cryptography December 17, 2013

CPSC 467b: Cryptography and Computer Security

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Cryptography. Summer Term 2010

Transcription:

Lecture 8 Message Authentication COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/

Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers and hash functions.

Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers and hash functions. Today we study our second higher-level primitive, message authentication codes.

Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers and hash functions. Today we study our second higher-level primitive, message authentication codes. Note that authenticity of data is arguably even more important than privacy.

Setting and Goals 0*0=05. Alice Integrity lavthenticity of data. VM * m is not modified Eve by Eve * Alice really sent on. / ^

Example: Electronic Banking Like.de#ngtbdI**isaY A { are a Eve could try to change $100 to $1000 or charge Bob to Eve.

Syntax and Usage n AmessageauthenticationcodeT :Keys D R is a family of functions. The envisaged usage is shown below, where A is the adversary: of m tag upon teaeiry, Keys K (,t1 accept on under key iff of = t.sk#jig affiliates Bob on

vhforgeasility under alhosen message attack UF-CMA Let T : Keys D R be a message authentication code. Let A be an adversary. Game UFCMA T procedure Initialize K $ Keys ; S procedure Tag(M) T ot K (M); S S {M} return T procedure Finalize(M, T ) If M S then return false If M D then return false Return (T = T K (M)) The uf-cma advantage of adversary A is ] Adv uf-cma T (A) = Pr [UFCMA A T true.

Lower-Bound on Tag Length Consider an adversary which simply guesses a tag at random. Adversary t $R A ret ( mit ) for some arbitrary.me/).adruytanaca1=prtufcmaf=71t => for n - bit 1 security we need Iog k/2n.

.. Basic CBC-MAC g Cipher - block Chaining Let E : {0, 1} k B B be a blockcipher, where B = {0, 1} n.viewa message M B as a sequence of n-bit blocks, M = M[1]...M[m]. The basic CBC MAC T : {0, 1} k B B is defined by Alg T K (M) C[0] 0 n for i =1,...,m do C[i] E K (C[i 1] M[i]) A Adversary return C[m] MFD ma ] T, Tag( MID) o % t Ti Tzttagcoy cm##.) IFHE f gy - not taend k.

Splicing Attack See pneniovs slide in

Replay Attacks Refers to a real-life adversary being able to capture and re-transmit a message and tag.

Replay Attacks Refers to a real-life adversary being able to capture and re-transmit a message and tag. Not captured by UF-CMA.

Replay Attacks Refers to a real-life adversary being able to capture and re-transmit a message and tag. Not captured by UF-CMA. Best dealt with as an add-on to standard message authentication.

Using Timestamps Let Time A be the time as per Alice s local clock and Time B the time as per Bob s local clock. Alice sends (M, T K (M), Time A ) Bob receives (M, T, Time) andacceptsiff T = T K (M) and Time B Time where is a small threshold. Does this work? the problem is that Time is not authenticated! Alice should send ( M, Tk ( Mlkineaftinea )

Using Counters Alice maintains a counter ctr A and Bob maintains a counter ctr B.Initially both are zero. Alice sends (M, T K (M ctr A )) and then increments ctr A Bob receives (M, T ). If T K (M ctr B )=T then Bob accepts and increments ctr B.

- random pseudo function message - \ authentication PRF-as-a-MAC Code. If F is PRF-secure then it is also UF-CMA-secure: Theorem [GGM86,BKR96]: Let F : {0, 1} k D {0, 1} n be a family of functions. Let A be a uf-cma adversary making q Tag queries and having running time t. Then there is a prf-adversary B such that Adv uf-cma F (A) Adv prf F (B)+ 2 2 n. Adversary B makes q + 1 queries to its Fn oracle and has running time t plus some overhead.

Proof Intuition Think of eihangin, the OF - CMA game use a truly random function instead of to the PRF. Notice that the adversary 's advantage can't change much when this above change is made, else we Could build a distinguisher against the PRF. Adversary A B Run when A makes a Tag query Fncx ) Return Until A halls with output (,t) M If Fn ( m )=t ret I Else Not

PRF Domain Extension We have blockciphers that are good PRFs but are fixed-input-length (FIL).

PRF Domain Extension We have blockciphers that are good PRFs but are fixed-input-length (FIL). Want a MAC that is variable-input-length (VIL).

PRF Domain Extension We have blockciphers that are good PRFs but are fixed-input-length (FIL). Want a MAC that is variable-input-length (VIL). By prior result this reduces to building a VIL- PRF from a FIL-PRF (aka. PRF domain extension).

yen ECBC-MAC Let E : {0, 1} k B B be a block cipher, where B = {0, 1} n.the encrypted CBC (ECBC) MAC T : {0, 1} 2k B B is defind by crypt M[1] M[2] M[m 1] M[m] Alg T Kin K out (M) C[0] 0 n for i =1,...,m do C[i] E Kin (C[i 1] M[i]) T E Kout (C[m]) return T E Kin E Kin E Kin E Kin E Kout T Kin K out (M) Ee w

Birthday Attacks Iden : Query Fu of on a sequence messages M,,..., Mq and See if 1- block any of the outputs collide. Adversary Aq For it to q )) 'M Yitec animal aid 1- #CGie If st. Y fyq) Fiiijz ;,=Y ;, = ( net 0 then.si#ek:.eienai*?p

Theorem Theorem: Let E : {0, 1} k B B be a family of functions, where B = {0, 1} n.definef : {0, 1} 2k B {0, 1} n by Alg F Kin K out (M) C[0] 0 n for i =1,...,m do C[i] E Kin (C[i 1] M[i]) T E Kout (C[m]); return T Let A be a prf-adversary against F that makes at most q oracle queries, these totalling at most σ blocks, and has running time t. Then there is a prf-adversary B against E such that Adv prf F (A) Advprf E (B)+σ2 2 n and B makes at most σ oracle queries and has running time about t. e. 9,AES. with -128 Can MAC messages with total block length up to 264.

Proof Intuition

Implications The number q of m-block messages that can be safely authenticated is about 2 n/2 /m, where n is the block-length of the blockcipher, or the length of the chaining input of the compression function. MAC n m q DES-ECBC-MAC 64 1024 2 22 AES-ECBC-MAC 128 1024 2 54 AES-ECBC-MAC 128 10 6 2 44 HMAC-SHA1 160 10 6 2 60 HMAC-SHA256 256 10 6 2 108 m =10 6 means message length 16Mbytes when n =128.

MACing with Hash Function The software speed of hash functions (MD5, SHA1) lead people in 1990s to ask whether they could be used to MAC. But such cryptographic hash functions are keyless. Question: How do we key hash functions to get MACs? Proposal: Let H : D {0, 1} n represent the hash function and set GSHAI T K (M) =H(K M) Is this UF-CMA / PRF secure? No in the case that hash function is constructed Via the MD paradigm.

Length-Extension Attack M ' 1 14 HKKMHMYµ Tttagcm o a iei±* ## { function mapping impression to h bits can compile compression ntb bits function! MHTFHHAMHDHM Adversary A net ( it ' ) T ) y h( HIM ' ) ' a(y11k1@lm'hb) ' )

HMAC [BCK 96] t t the case for other SHAI, Suppose H : D {0, 1} 160 is the hash function. HMAC has a 160-bit key K. Let K o =opad K 0 352 and K i =ipad K 0 352 where opad = 5D and ipad = 36 in HEX. Then #0 08 :{ HMAC K (M) =H(K o H(K i M)) 11 K i M '5#YD Hnacdm) H K o X H HMAC K (M) ko Killm) TKDIHCKIHM ) ]b use hash can function green,

Security Results Theorem: yinttdpa [BCK96] HMAC is a secure PRF assuming The compression function is a PRF The hash function is collision-resistant (CR) But recent attacks show MD5 is not CR and SHA1 may not be either. So are HMAC-MD5 and HMAC-SHA1 secure? No attacks so far, but Proof becomes vacuous! Theorem: [Be06] HMAC is a secure PRF assuming only The compression function is a PRF Current attacks do not contradict this assumption. This new result may explain why HMAC-MD5 - is standing even though MD5 is broken with regard to collision resistance.

Recommendations Don t use HMAC-MD5.

Recommendations Don t use HMAC-MD5. No immediate need to remove HMAC-SHA1.

Recommendations Don t use HMAC-MD5. No immediate need to remove HMAC-SHA1. But for new applications best to use HMAC- SHA2-d (for d = 256,512) or HMAC-SHA3.

Carter-Wegman MACs

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback