Lecture 10. Data Integrity: Message Authentication Schemes. Shouhuai Xu CS4363 Cryptography Spring

Similar documents
CS408 Cryptography & Internet Security

Lecture 4: Authentication and Hashing

CPSC 467: Cryptography and Computer Security

Data Integrity & Authentication. Message Authentication Codes (MACs)

1 Defining Message authentication

Data Integrity & Authentication. Message Authentication Codes (MACs)

Data Integrity. Modified by: Dr. Ramzi Saifan

Introduction to Cryptography. Lecture 6

CPSC 467: Cryptography and Computer Security

Lecture 10, Zero Knowledge Proofs, Secure Computation

Lecture 1 Applied Cryptography (Part 1)

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Message authentication codes

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Symmetric Crypto MAC. Pierre-Alain Fouque

S. Erfani, ECE Dept., University of Windsor Network Security

CSC574: Computer & Network Security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

COMP4109 : Applied Cryptography

CS 161 Computer Security

Cryptographic Checksums

CS Computer Networks 1: Authentication

P2_L8 - Hashes Page 1

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Crypto Background & Concepts SGX Software Attestation

Request for Comments: 3566 Category: Standards Track Intel September The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

CSE 127: Computer Security Cryptography. Kirill Levchenko

An Efficient MAC for Short Messages

CS 495 Cryptography Lecture 6

Multiple forgery attacks against Message Authentication Codes

Chapter 11 Message Integrity and Message Authentication

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Cryptographic hash functions and MACs

Winter 2011 Josh Benaloh Brian LaMacchia

CS 161 Computer Security

Cryptographic Hash Functions

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Lecture 1: Course Introduction

Integrity of messages

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Homework 3: Solution

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

CIS 4360 Secure Computer Systems Applied Cryptography

Encryption. INST 346, Section 0201 April 3, 2018

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CIS 4360 Secure Computer Systems Symmetric Cryptography

CS 161 Computer Security

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Feedback Week 4 - Problem Set

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Security: Cryptography

Information Security CS526

Unit 8 Review. Secure your network! CS144, Stanford University

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

Lecture 8 - Message Authentication Codes

Chapter 7. Message Authentication. 7.1 The setting

1 Identification protocols

Computer Security: Principles and Practice

Message Authentication and Hash function 2

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Lecture 4: Cryptography III; Security. Course Administration

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Lecture 4: Hashes and Message Digests,

Message Authentication Codes and Cryptographic Hash Functions

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Proofs for Key Establishment Protocols

Chapter 4: Securing TCP connections

n-bit Output Feedback

Message Authentication with MD5 *

Chapter 6. Message Authentication. 6.1 The setting

Foundations of Cryptography CS Shweta Agrawal

Cryptographic Systems

Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

CS 161 Computer Security

Information Security CS526

1 Achieving IND-CPA security

CS 161 Computer Security

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

UNIT - IV Cryptographic Hash Function 31.1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

Security of Message Authentication Codes in the Presence of Key-Dependent Messages

CS 161 Computer Security

2.1 Basic Cryptography Concepts

Cryptography: More Primitives

Ref:

CSC 774 Network Security

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

CSC/ECE 774 Advanced Network Security

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes

===============================================================================

Transcription:

Lecture 10. Data Integrity: Message Authentication Schemes Shouhuai Xu CS4363 Cryptography Spring 2007 1

Roadmap Problem Statement Definition Constructions Remarks Shouhuai Xu CS4363 Cryptography Spring 2007 2

Problem Statement Suppose you are communicating (via any channel: the air, the wire, whispering, ) with your friend Sure you want what your friend received is exactly what you sent Yeah, this is trivially ensured in the face-to-face case Now we ask the question: what if the channel is under the control of some bad guy? Shouhuai Xu CS4363 Cryptography Spring 2007 3

Sweet, If Channel Is Secure I like you! She said she likes me. That is sweet! I like you! Shouhuai Xu CS4363 Cryptography Spring 2007 4

What If There Is a Bad Guy I like you! She said she dislikes me. That is NOT sweet! I like you! I dislike you! The bad guy controls the channel (man-in-the-middle attack) Shouhuai Xu CS4363 Cryptography Spring 2007 5

How We Get There? So, we need a technical mechanism to ensure that the output of the channel is the same as the input to it (and detectable otherwise) How we achieve this in the physical world? For 10 3 years, people knew how to use sealed envelope Shouhuai Xu CS4363 Cryptography Spring 2007 6

Not It s Clear What We Want Message authentication scheme can be viewed as the analogy of sealed envelope in the physical world That is, emulating an envelope so that nobody can tamper with the content! Of course, we ignore confidentiality for simplicity You may think the envelope is transparent. But Indeed Shouhuai Xu CS4363 Cryptography Spring 2007 7

For Your Curiosity A classic part of cryptography is to emulate an envelope nobody can tamper with the content message authentication Nobody can peep the content encryption (not that simple, it took many years to understand what it is!) Shouhuai Xu CS4363 Cryptography Spring 2007 8

Warning Encryption does not provide data integrity Pro argument: If I like you is encrypted, how can the adversary change the ciphertext to a new one corresponding to the plaintext I dislike you? This has been incorrectly understood by many people for many years! So do not commit the same mistake! Shouhuai Xu CS4363 Cryptography Spring 2007 9

Roadmap Problem Statement Definition Constructions Remarks Shouhuai Xu CS4363 Cryptography Spring 2007 10

How Do We Specify a MAS? Let s recall what happens in the physical world Before you write the first letter to your friend, You two agree on a handwriting style (only you know) Before you mail you letter (in a transparent envelope), you knew how you friend will verify it You already had a tagging algorithm in your mind! When your friend receives your mail, he/she knows how to verify if the letter is from you, because He/she had a verification algorithm in mind Shouhuai Xu CS4363 Cryptography Spring 2007 11

How Do We Specify a MAS? Let s recall what happens in the physical world Before you write the first letter to your friend, Key Generation (and Distribution)! Before you mail you letter (in a transparent envelope), you knew how you friend will verify it Tagging When your friend receives your mail, he/she knows how to verify if the letter is from you, because Verification Shouhuai Xu CS4363 Cryptography Spring 2007 12

Definition A message authentication scheme MAS = (KeyGen, Tag, Ver) KeyGen is a randomized algorithm that returns a key k. That is, k KeyGen(SecurityParameter). Tag is an algorithm that takes input k and a message m, and return a tag δ. This algorithm may be probabilistic. That is, δ Tag(k,m). We also denote it by δ Tag k (m). Ver is a deterministic algorithm that takes as input the key k, a message m, and a tag δ, and returns a bit valid/invalid. That is, Ver(k,m,δ) returns valid or invalid. We also denote it by Ver k (m,δ). Shouhuai Xu CS4363 Cryptography Spring 2007 13

Disclaimer Message Authentication Scheme (MAS) and Message Authentication Code (MAC) are interchangeable. In the context of MAS, tag generation algorithm is typically the same as the tag verification algorithm. Moreover, the keys are the same. Shouhuai Xu CS4363 Cryptography Spring 2007 14

Security We have specified the syntax of message authentication schemes What is the semantics? In particular What that means when we say a message authentication scheme is secure? Shouhuai Xu CS4363 Cryptography Spring 2007 15

Security Intuition 0: If the key is leaked, then an adversary can arbitrarily forge message authentication tags. So we have to ensure that seeing polynomial many tags does not enable the adversary to recover the key, because we cannot afford to not allow the adversary to see the genuine authentication tags, because the network is open. Shouhuai Xu CS4363 Cryptography Spring 2007 16

Security Definition 0: we say a message authentication scheme is secure if seeing polynomial many authentication tags does not enable the adversary to recover the message authentication key. Is this definition good enough? Shouhuai Xu CS4363 Cryptography Spring 2007 17

Security What if the adversary can forge, say, a single genuine authentication tag (e.g., even though the adversary is still unable to get the key)? So we need to refine the definition Shouhuai Xu CS4363 Cryptography Spring 2007 18

Security Intuition 1: Seeing polynomial many genuine authentication tags still does not enable the adversary to generate a single genuine authentication tag on a different message. Is this definition good enough? Shouhuai Xu CS4363 Cryptography Spring 2007 19

Security What if the genuine authentication tags are for messages chosen by the adversary? Lunch time attack: the operator is out for lunch, the adversary has physical access to the message authentication machine to generate message authentication tags for the messages he prepared in the morning! So we need to refine the definition! Shouhuai Xu CS4363 Cryptography Spring 2007 20

Security Intuition 2: Security means that seeing polynomial many genuine authentication tags on messages chosen by the adversary does not enable the adversary to generate even a single genuine authentication tag on a new message! Is this definition good enough? Shouhuai Xu CS4363 Cryptography Spring 2007 21

Security What if the adversary can choose the next message based on the state information (or history of the output of the message authentication machine)? This is indeed called adaptive chosen message attack! Shouhuai Xu CS4363 Cryptography Spring 2007 22

Security Intuition 3: Security means that seeing polynomial many message authentication tags on messages adaptively chosen by an adversary does not enable the adversary to generate even a single genuine authentication tag on a new message! Shouhuai Xu CS4363 Cryptography Spring 2007 23

Security Intuition 3.5: Is the above definition enough? To the best of our knowledge, there is currently no more sophisticated definition. But if you can have a more sophisticated, yet meaningful one, then this lecture is paid off Shouhuai Xu CS4363 Cryptography Spring 2007 24

Now We Are Ready to Combine the above discussions together to get a full-fledged version of the definition of message authentication schemes Shouhuai Xu CS4363 Cryptography Spring 2007 25

Definition (syntax) A message authentication scheme MAS = (KeyGen, Tag, Ver) KeyGen is a randomized algorithm that returns a key k. That is, K KeyGen(SecurityParameter). Tag is an algorithm that takes input k and a message m, and return a tag δ. This algorithm may be probabilistic. That is, δ Tag(K,m). We also denote it by δ Tag K (m). Ver is a deterministic algorithm that takes as input the key K, a message m, and a tag δ, and returns a bit valid/invalid. That is, Ver(K,m,δ) returns valid or invalid. We also denote it by Ver K (m,δ). Shouhuai Xu CS4363 Cryptography Spring 2007 26

Definition (semantics) Requirements on a message authentication scheme MAS = (KeyGen, Tag, Ver), where Correctness: for any m MessageSpace, we have Ver K (m, δ = Tag K (m)) = 1 Security: unforgeability under adaptive chosenmessage attack Shouhuai Xu CS4363 Cryptography Spring 2007 27

Definition (semantics) m 1 K KeyGen(k) Pr Tag K (m 1 ) m n Tag K (m n ) m n+1, Tag K (m n+1 ) Ok, you win as Ver(K, Tag K (m n+1 ))=1 attacker subject to: m n+1 {m 1, m 2,, m n } = negligible(security-parameter k) challenger Shouhuai Xu CS4363 Cryptography Spring 2007 28

Roadmap Problem Statement Definition Constructions Remarks Shouhuai Xu CS4363 Cryptography Spring 2007 29

Constructions PRF/CBC MACs [Bellare-Kilian-Rogaway Crypto 94] XOR MACs [Bellare-Guerin-Rogaway Crypto 95] MACing use cryptographic hash function (e.g., MD5, SHA- 1) Universal Hash based MACs [Black-Halevi-Krawczyk- Krovetz-Rogaway Crypto 99] Shouhuai Xu CS4363 Cryptography Spring 2007 30

Constructions (cont.) Can we use keyed hash functions such as MD5(k,m) and SHA1(k,m) directly as a message authentication code? Currently, nobody knows, and no positive evidence But evidences do show that HMAC is good Remains to be true, even if MD5/SHA1 is not collision resistant (because a weaker property suffices HMAC!) Shouhuai Xu CS4363 Cryptography Spring 2007 31

HMAC HMAC [Bellare-Canetti-Krawczyk Crypto 96]: why hash? faster than block ciphers in software implementation software implementations are widely available not subject to export restriction HMAC is now IETF mandatory MAS Shouhuai Xu CS4363 Cryptography Spring 2007 32

HMAC Suppose H is a good(?) hash function (e.g., MD5 with 128-bit output, SHA-1 with 160-bit output). ipad = the byte 0x36 repeated 64 times opad = the byte 0x5C repeated 64 times k is the message authentication key HMAC k (m) = H(k opad, H(k ipad, m)) Shouhuai Xu CS4363 Cryptography Spring 2007 33

HMAC 1. Append zeros to the end of k to create a 64 bytes string 2. XOR the 64 byte string computed in step (1) with ipad 3. Append m to the 64 bytes string resulting from step (2) 4. Apply H to the stream generated in step (3) 5. XOR the 64 byte string computed in step (1) with opad 6. Append the in step (4) to the 64 byte result in step (5) 7. Apply H to the output in step (6) and output the result Shouhuai Xu CS4363 Cryptography Spring 2007 34

HMAC 1. The recommended length of the key is at least l bits, where l is the length of the output of the hash function (i.e., l=128 for MD5, and l=160 for SHA-1) 2. A longer key does not add significantly to the security of HMAC 3. HMAC allows truncation of the final output to, say, 80 bits Shouhuai Xu CS4363 Cryptography Spring 2007 35

HMAC: Security Security of HMAC can be justified given some reasonable assumptions about the strength of the underlying H Assume only that H has a certain kind of weak collisionfreeness and some limited unpredictability Details may be covered in advanced cryptography course Shouhuai Xu CS4363 Cryptography Spring 2007 36

Roadmap Problem Statement Definition Constructions Remarks Shouhuai Xu CS4363 Cryptography Spring 2007 37

Applications Friend-Or-Foe TESLA: multicast authentication As a building block in advanced protocols find more that is your contribution Shouhuai Xu CS4363 Cryptography Spring 2007 38

What MAC Isn t? When Alice and Bob are in honeymoon, Bob said I will give all my property to Alice if we divorce someday. The statement is authenticated using a message authentication code with a key known to both Alice and Bob. Alice (knowing some crypto) is happy and keeps it in a safe. Life is really wonderful many days passed sweet Shouhuai Xu CS4363 Cryptography Spring 2007 39

What MAC Isn t? (cont.) Unfortunately, bad days come up Divorce is on agenda; Alice presents the safe to a judge... Can Alice convince the judge that Bob did make the promise? No way! Alice could have done it herself! Shouhuai Xu CS4363 Cryptography Spring 2007 40

What MAC Isn t? (cont.) How we solve the Alice-Bob puzzle? digital signature Shouhuai Xu CS4363 Cryptography Spring 2007 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback