COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University
Applied Cryptography Day 8 (and maybe 9) secret-key primitives Message Authentication Codes Pseudorandom number generators 2
a message authentication code (MAC) provides data integrity and data origin authentication in the private key setting is a family of functions (parametrized by k) H k : {0,1} {0,1} n where k is an l-bit key and H k is an n-bit hash function H k (m) is call the MAC or tag of message m 3
a message authentication code (MAC) Alice and Bob share a secret key k Alice computes t = H k (m) and send (m,t) to Bob Bob receives (m,t ) and checks that t = H k (m ) has condence m = m (and t = t) has condence (m,t) was sent by Alice 4
a message authentication code (MAC) 5
a message authentication code (MAC) 5
a message authentication code (MAC) 5
a message authentication code (MAC) 5
a message authentication code (MAC) 5
a message authentication code (MAC) 5
a message authentication code (MAC) 5
security of MACs Alice and Bob know k Eve does not know k Eve is allowed (polynomially many) tags for messages of her choice oracle access to H k () (polynomially many calls) chosen-message attack Eve tries to generate a valid message-tag pair (m,t ) for any m (provided she did not ask for the tag of m already) a MAC algorithm is secure if, given polynomially many message-mac pairs (m i,h k (m i )), it is computationally infeasible to generate a message-mac pair (m,h k (m)) for any new message with non-negligible probability such a MAC is said to be existentially unforgeable against chosen-message attacks 6
security of MACs existential forgery: an adversary can create a valid message-mac pair for some message m (any message m) selective forgery: an adversary can create a valid message-mac pair for a chosen message m (selected by the adversary before the attack) universal forgery: an adversary can create a valid message-mac pair for any message m 7
generic attacks on MACs 1. choose y {0,1} n and guess that H k (m) = y probability of success 2 n assuming H k () is random function n must be large enough to make this infeasible (we cannot directly check if guess is correct!) 2. exhaustive search for key k given r message-mac pairs test each key k by trying to verify each of the r known pairs with k assuming H k () is random function what is expected number of keys such that all r pairs are veried? homework: 2 l nr 8
hash-based MACs H k (m) = h(k m) H k (m) = h(m k) H k (m) = h(k m k) 9
hash-based MACs H k (m) = h(k m) given (m,h k (m)) then (m y,h k (m y)) is selective forgery for hash functions that admit extension attacks insecure H k (m) = h(m k) H k (m) = h(k m k) 9
hash-based MACs H k (m) = h(k m) given (m,h k (m)) then (m y,h k (m y)) is selective forgery for hash functions that admit extension attacks insecure sha-3 does not admit extension attacks insecure H k (m) = h(m k) H k (m) = h(k m k) 9
hash-based MACs H k (m) = h(k m) given (m,h k (m)) then (m y,h k (m y)) is selective forgery for hash functions that admit extension attacks insecure sha-3 does not admit extension attacks insecure H k (m) = h(m k) given collision H k (x 1 ) = H k (x 2 ) then asking for MAC of x 1 also gives MAC for x 2 insecure H k (m) = h(k m k) 9
hash-based MACs H k (m) = h(k m) given (m,h k (m)) then (m y,h k (m y)) is selective forgery for hash functions that admit extension attacks insecure sha-3 does not admit extension attacks insecure H k (m) = h(m k) given collision H k (x 1 ) = H k (x 2 ) then asking for MAC of x 1 also gives MAC for x 2 insecure H k (m) = h(k m k) secure? maybe not. 9
keyed-hash message authentication code (HMAC) HMAC (k,m) = h ((k opad) h ( (k ipad) m )) 10
keyed-hash message authentication code (HMAC) HMAC (k,m) = h ((k opad) h ( (k ipad) m )) security is based on security of hash function used can forge MACs using MD4 (because MD4 is too weak) 11
block cipher MACs CBC-MAC 12
block cipher MACs CBC-MAC 12
block cipher MACs CBC-MAC 12
block cipher MACs CBC-MAC 12
block cipher MACs CBC-MAC 12
block cipher MACs CBC-MAC 12
block cipher MACs CBC-MAC 12
Authenticated Encryption provides condentiality, data integrity and data origin authentication encrypt-then-mac authenticate the encryption encrypt-and-mac encrypt both plaintext and authentication used in SSH mac-then-encrypt encrypt plaintext and authenticate the plaintext used in SSL/TLS there are sevaral AE modes : CCM, CWC, OCB, EAX, GCM 13
Project and Assignments Assignments Friday, Oct 25 (available Friday, Oct 11) Friday, Nov 15 Friday, Dec 6 Project Exam Dec 4 and 6 Demos (maybe 1-2 weeks earlier though) Have to check regulations Friday, Dec 13 (available Monday, Dec 9) 14
Project Topics possible topics keyless hash functions, attacks on hash functions, sha-3,... secret key public key AES, MACs (CMAC, HMAC, etc), PRNGs attacks on encryption schemes: dierential cryptanalysis, linear cryptanalysis, impossible dierential cryptanalysis,... attacks on hash functions, attacks on PRNGs schemes, attacks on schemes systems that use cryptography... electronic voting, privacy enhancing tools,... attacks on systems that use crypto (that exploit the crypto use or misuse in some way) 15
Crypto Confernces/Workshops International Association for Cryptologic Research Cryptology eprint Archive Selected Areas in Cryptography James Muir's LNCS links Blogs/People Freedom to Tinker Ed Felton, Alex Halderman, Nadia Heninger Schneier on Security Matt Green 16