COMP4109 : Applied Cryptography

Similar documents
Data Integrity. Modified by: Dr. Ramzi Saifan

CS408 Cryptography & Internet Security

Symmetric Crypto MAC. Pierre-Alain Fouque

COMP4109 : Applied Cryptography

COMP4109 : Applied Cryptography

Message authentication codes

Lecture 4: Authentication and Hashing

Feedback Week 4 - Problem Set

symmetric cryptography s642 computer security adam everspaugh

Multiple forgery attacks against Message Authentication Codes

Lecture 1 Applied Cryptography (Part 1)

Data Integrity & Authentication. Message Authentication Codes (MACs)

Data Integrity & Authentication. Message Authentication Codes (MACs)

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Introduction to Cryptography. Lecture 6

Integrity of messages

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

CS155. Cryptography Overview

1 Defining Message authentication

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Message Authentication ( 消息认证 )

UNIT - IV Cryptographic Hash Function 31.1

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

CSC574: Computer & Network Security

Course Administration

Cryptographic hash functions and MACs

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Authenticated Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Computer Security: Principles and Practice

S. Erfani, ECE Dept., University of Windsor Network Security

Message Authentication Codes and Cryptographic Hash Functions

CS 495 Cryptography Lecture 6

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Other Topics in Cryptography. Truong Tuan Anh

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Symmetric Encryption 2: Integrity

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CSC 774 Network Security

Cryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

CSC/ECE 774 Advanced Network Security

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Introduction to Cryptography, Helger Lipmaa

Public-key Cryptography: Theory and Practice

Cryptography Overview

Cryptographic Checksums

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Message authentication

Ref:

Authenticated Encryption

Chapter 11 Message Integrity and Message Authentication

Symmetric Cryptography

Summary on Crypto Primitives and Protocols

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CS155. Cryptography Overview

P2_L8 - Hashes Page 1

Hash functions & MACs

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 10. Data Integrity: Message Authentication Schemes. Shouhuai Xu CS4363 Cryptography Spring

Lecture 1: Course Introduction

CSCE 715: Network Systems Security

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Cryptographic Hash Functions

CSC 474/574 Information Systems Security

Spring 2010: CS419 Computer Security

CPSC 467: Cryptography and Computer Security

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

CS Computer Networks 1: Authentication

IS 2150 / TEL 2810 Information Security and Privacy

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

INSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Permutation-based Authenticated Encryption

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Unit 8 Review. Secure your network! CS144, Stanford University

CPSC 467: Cryptography and Computer Security

Introduction to Cryptography, Helger Lipmaa

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

Symmetric encrypbon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Security Requirements

Lecture 4: Cryptography III; Security. Course Administration

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Overview of Cryptography

Appendix A: Introduction to cryptographic algorithms and protocols

Computer Security CS 526

ECE 646 Lecture 8. Modes of operation of block ciphers

Solutions to exam in Cryptography December 17, 2013

CIS 4360 Secure Computer Systems Symmetric Cryptography

Permutation-based symmetric cryptography

Transcription:

COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University

Applied Cryptography Day 8 (and maybe 9) secret-key primitives Message Authentication Codes Pseudorandom number generators 2

a message authentication code (MAC) provides data integrity and data origin authentication in the private key setting is a family of functions (parametrized by k) H k : {0,1} {0,1} n where k is an l-bit key and H k is an n-bit hash function H k (m) is call the MAC or tag of message m 3

a message authentication code (MAC) Alice and Bob share a secret key k Alice computes t = H k (m) and send (m,t) to Bob Bob receives (m,t ) and checks that t = H k (m ) has condence m = m (and t = t) has condence (m,t) was sent by Alice 4

a message authentication code (MAC) 5

a message authentication code (MAC) 5

a message authentication code (MAC) 5

a message authentication code (MAC) 5

a message authentication code (MAC) 5

a message authentication code (MAC) 5

a message authentication code (MAC) 5

security of MACs Alice and Bob know k Eve does not know k Eve is allowed (polynomially many) tags for messages of her choice oracle access to H k () (polynomially many calls) chosen-message attack Eve tries to generate a valid message-tag pair (m,t ) for any m (provided she did not ask for the tag of m already) a MAC algorithm is secure if, given polynomially many message-mac pairs (m i,h k (m i )), it is computationally infeasible to generate a message-mac pair (m,h k (m)) for any new message with non-negligible probability such a MAC is said to be existentially unforgeable against chosen-message attacks 6

security of MACs existential forgery: an adversary can create a valid message-mac pair for some message m (any message m) selective forgery: an adversary can create a valid message-mac pair for a chosen message m (selected by the adversary before the attack) universal forgery: an adversary can create a valid message-mac pair for any message m 7

generic attacks on MACs 1. choose y {0,1} n and guess that H k (m) = y probability of success 2 n assuming H k () is random function n must be large enough to make this infeasible (we cannot directly check if guess is correct!) 2. exhaustive search for key k given r message-mac pairs test each key k by trying to verify each of the r known pairs with k assuming H k () is random function what is expected number of keys such that all r pairs are veried? homework: 2 l nr 8

hash-based MACs H k (m) = h(k m) H k (m) = h(m k) H k (m) = h(k m k) 9

hash-based MACs H k (m) = h(k m) given (m,h k (m)) then (m y,h k (m y)) is selective forgery for hash functions that admit extension attacks insecure H k (m) = h(m k) H k (m) = h(k m k) 9

hash-based MACs H k (m) = h(k m) given (m,h k (m)) then (m y,h k (m y)) is selective forgery for hash functions that admit extension attacks insecure sha-3 does not admit extension attacks insecure H k (m) = h(m k) H k (m) = h(k m k) 9

hash-based MACs H k (m) = h(k m) given (m,h k (m)) then (m y,h k (m y)) is selective forgery for hash functions that admit extension attacks insecure sha-3 does not admit extension attacks insecure H k (m) = h(m k) given collision H k (x 1 ) = H k (x 2 ) then asking for MAC of x 1 also gives MAC for x 2 insecure H k (m) = h(k m k) 9

hash-based MACs H k (m) = h(k m) given (m,h k (m)) then (m y,h k (m y)) is selective forgery for hash functions that admit extension attacks insecure sha-3 does not admit extension attacks insecure H k (m) = h(m k) given collision H k (x 1 ) = H k (x 2 ) then asking for MAC of x 1 also gives MAC for x 2 insecure H k (m) = h(k m k) secure? maybe not. 9

keyed-hash message authentication code (HMAC) HMAC (k,m) = h ((k opad) h ( (k ipad) m )) 10

keyed-hash message authentication code (HMAC) HMAC (k,m) = h ((k opad) h ( (k ipad) m )) security is based on security of hash function used can forge MACs using MD4 (because MD4 is too weak) 11

block cipher MACs CBC-MAC 12

block cipher MACs CBC-MAC 12

block cipher MACs CBC-MAC 12

block cipher MACs CBC-MAC 12

block cipher MACs CBC-MAC 12

block cipher MACs CBC-MAC 12

block cipher MACs CBC-MAC 12

Authenticated Encryption provides condentiality, data integrity and data origin authentication encrypt-then-mac authenticate the encryption encrypt-and-mac encrypt both plaintext and authentication used in SSH mac-then-encrypt encrypt plaintext and authenticate the plaintext used in SSL/TLS there are sevaral AE modes : CCM, CWC, OCB, EAX, GCM 13

Project and Assignments Assignments Friday, Oct 25 (available Friday, Oct 11) Friday, Nov 15 Friday, Dec 6 Project Exam Dec 4 and 6 Demos (maybe 1-2 weeks earlier though) Have to check regulations Friday, Dec 13 (available Monday, Dec 9) 14

Project Topics possible topics keyless hash functions, attacks on hash functions, sha-3,... secret key public key AES, MACs (CMAC, HMAC, etc), PRNGs attacks on encryption schemes: dierential cryptanalysis, linear cryptanalysis, impossible dierential cryptanalysis,... attacks on hash functions, attacks on PRNGs schemes, attacks on schemes systems that use cryptography... electronic voting, privacy enhancing tools,... attacks on systems that use crypto (that exploit the crypto use or misuse in some way) 15

Crypto Confernces/Workshops International Association for Cryptologic Research Cryptology eprint Archive Selected Areas in Cryptography James Muir's LNCS links Blogs/People Freedom to Tinker Ed Felton, Alex Halderman, Nadia Heninger Schneier on Security Matt Green 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback