Message authentication codes

Similar documents
CS408 Cryptography & Internet Security

Data Integrity. Modified by: Dr. Ramzi Saifan

CIS 4360 Secure Computer Systems Symmetric Cryptography

COMP4109 : Applied Cryptography

CS155. Cryptography Overview

CSCE 715: Network Systems Security

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Introduction to Cryptography. Lecture 6

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Feedback Week 4 - Problem Set

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Symmetric Crypto MAC. Pierre-Alain Fouque

Data Integrity & Authentication. Message Authentication Codes (MACs)

Data Integrity & Authentication. Message Authentication Codes (MACs)

Integrity of messages

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

1 Defining Message authentication

Cryptographic Hash Functions

Lecture 4: Authentication and Hashing

Multiple forgery attacks against Message Authentication Codes

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Summary on Crypto Primitives and Protocols

CS155. Cryptography Overview

Message Authentication Codes and Cryptographic Hash Functions

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Cryptographic hash functions and MACs

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptographic Hash Functions

Permutation-based Authenticated Encryption

CS 495 Cryptography Lecture 6

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Authenticated Encryption

CSE 127: Computer Security Cryptography. Kirill Levchenko

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Scanned by CamScanner

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Advanced security notions for the SSH secure channel: theory and practice

Symmetric Encryption 2: Integrity

Authenticated Encryption

A Surfeit of SSH Cipher Suites

Lecture 1: Course Introduction

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Lecture 1 Applied Cryptography (Part 1)

The OCB Authenticated-Encryption Algorithm

Cryptography. Summer Term 2010

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

symmetric cryptography s642 computer security adam everspaugh

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Symmetric-Key Cryptography

Permutation-based symmetric cryptography

Message Authentication ( 消息认证 )

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

UNIT - IV Cryptographic Hash Function 31.1

On Symmetric Encryption with Distinguishable Decryption Failures

Cryptography and Network Security

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Unit 8 Review. Secure your network! CS144, Stanford University

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Authenticated Encryption in TLS

Computer Security CS 526

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Findings for

CSC 5930/9010 Modern Cryptography: Digital Signatures

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography MIS

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

Cryptography. Lecture 12. Arpita Patra

Misuse-resistant crypto for JOSE/JWT

Cryptography Overview

Lecture 9 Authenticated Encryption

Symmetric Primitives. (block ciphers, stream ciphers, hash functions, keyed hash functions and (pseudo)random number generators)

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Outline. From last time. Feistel cipher. Some DES history DES. Block ciphers and modes of operation

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Randomness Extractors. Secure Communication in Practice. Lecture 17

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Network and System Security

Chapter 11 Message Integrity and Message Authentication

Spring 2010: CS419 Computer Security

Lecture 4: Hashes and Message Digests,

Overview of Cryptography

History of message integrity techniques

Transport Layer Security

Message authentication

Introduction to Cryptography. Vasil Slavov William Jewell College

Katz, Lindell Introduction to Modern Cryptrography

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

1 Achieving IND-CPA security

APNIC elearning: Cryptography Basics

Transcription:

Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18)

Content Introduction security of MAC Constructions block cipher based HMAC MAC from sponge construction Secure channel MAC 2 / 14,

Introduction message authentication code (MAC) data integrity and authenticity faster than digital signatures, suitable for per-packet use shared-key (symmetric) construction A m, Mac k(m) B MAC hash function with a key key is necessary to compute the value of MAC verification by recomputation and comparison no non-repudiation property (!) requirements: efficiency & security remark: using MAC does not prevent a replay attacks (!) sequential message number, timestamp, etc. MAC 3 / 14,

Security of MAC (informally) formal definition of MAC uses three algorithms: Gen, Mac, Vrf PPT attacker A, with oracle access to Mac k (for random k) existentially unforgeable under an adaptive chosen message attack: the probability that any attacker A produces a pair (m, h) such that Mac k (m) = h (and A did not query the oracle with m) is negligible MAC uses a key, therefore the birthday attack is not applicable output of MAC can be shorter than output of a hash function for example IPSec: HMAC-SHA1-96 (truncated HMAC) MAC 4 / 14,

CBC-MAC MAC constructed from a block cipher initial attempt: m 1 m 2 m t IV = 0 n E k E k E k output secure for fixed length inputs (assuming PRP property of E) MAC 5 / 14,

CBC-MAC (2) insecure for variable length inputs: 1. A queries Mac k oracle with 1-block messages m and m 2. A obtains h = Mac k (m) = E k (m) and h = Mac k (m ) = E k (m ) 3. A queries the oracle with two-block message m x and obtains h = E k (E k (m) x) 4. Let us compute MAC for two-block message m h h x: E k (E k (m ) E k (m) E k (m ) x) = E k (E k (m) x) = h i.e. A knows the valid MAC for this message without asking the oracle MAC 6 / 14,

CBC-MAC (3) how to fix CBC-MAC: IV = 0 n m 1 m 2 m t E k E k E k D k E k two different keys k, k output derive k from k, e.g. k = k, k = E k (k)... or derive two keys from a single key: k 1 = E k (1), k 2 = E k (2) MAC 7 / 14,

CMAC authentication mode of block ciphers, approved by NIST (SP 800-38B) simplified presentation assuming that the input length is divisible by block length (padding and slightly different subkey used otherwise) m = m 1,, m t l = E k (0); k 1 = MSB(l)? (l 1) R : l 1 R is a constant depending on block length, e.g. R 128 = 0 120 10000111 the last block is transformed: m t = m t k 1 CBC processing (starting with C 0 = 0): 1. C i = E k (C i 1 m i ), for i = 1,, t 1 2. C t = E k (C t 1 m t ) final round 3. output: C t (can be truncated) MAC 8 / 14,

MAC construction based on hash functions natural but (often) insecure approaches (let H be a hash function): 1. Mac k (m) = H(k m) using some iterated H (e.g. MD-based) allows the attacker to compute MAC for an extended message 2. Mac k (m) = H(m k) using some iterated H (e.g. MD-based) means that finding collision implies colliding MAC (security of MAC reduces/weakens to collision resistance) easy to propose other ideas, e.g. H(k m k)... security proof? (btw. weaknesses were identified in this construction) MAC 9 / 14,

HMAC MAC construction based on hash functions the most popular / used MAC today (SSL/TLS, SSH, IPSec,...) provable security (if underlying compression function is PRF) construction: HMAC k (m) = H(k opad H(k ipad m)) opad/ipad block-length outer/inner padding (0x5c5c.../ 0x3636...), i.e. 64 bytes for MD5, SHA-1 or SHA-256 almost as fast as underlying hash function (just 3 additional blocks) truncation of output possible (e.g. used in IPSec) MAC 10 / 14,

Combined construction another approach: Mac k (m) = E k (H(m)) provable security, if E is PRP and H is collision resistant problems: stronger assumptions than HMAC (thus no reason to use it) block ciphers usually with short block length n and because of collisions, the bit-security is just n/2 for example AES with 128-bit block (and truncated hash) leads to 64-bit security MAC 11 / 14,

MAC from sponge construction KMAC Keccak MAC (NIST SP 800-185, 2016) basic idea of MAC from sponge hash function: input x MAC key k padding... r 0 f f... f f f c 0 MAC 12 / 14,

Secure channel (1) confidentiality & integrity/authenticity usually both needed for a secure communication authenticated encryption specific modes of a block cipher encryption (standard confidentiality modes) & MAC How to combine them properly? options (we use two independent keys k 1, k 2 ): 1. EtM (Encrypt then MAC, e.g. IPSec): c = E k1 (m), c, Mac k2 (c) 2. MtE (MAC then Encrypt, e.g. SSL/TLS): E k1 (m Mac k2 (m)) 3. E&M (Encrypt and MAC, e.g. SSH): E k1 (m), Mac k2 (m) recent situation: SSL: authenticated encryption (GCM); only AEAD ciphers for TLS 1.3 SSH: EtM MAC algorithms available (e.g. hmac-sha2-512-etm@openssh.com) MAC 13 / 14,

Secure channel (2) theory: the correct approach is EtM the problem with MtE: use any secure MAC cipher: encoding n bit plaintext to 2n bits (each bit is replaced by two bits: 0 00; 1 01 or 10 randomly) and then a secure synchronous stream cipher is applied (even one-time pad can be used) a pair 11 observed while decoding means invalid ciphertext the cipher is IND-CPA if underlying cipher is (for symmetric ciphers) flipping first two bits in the ciphertext is a correct ciphertext the first bit of the plaintext is 1 we assume that an attacker can distinguish correct/incorrect MAC situation remark: more practical scenario with SSL/TLS with MtE and oracle padding attack (padding vs. MAC error learning something about plaintext) E&M: MAC algorithm can leak information about the plaintext MAC 14 / 14,

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback