Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell

Transcription

1 Message Autheticatio Codes Readig: Chapter 4 of Katz & Lidell 1

2 Message autheticatio Bob receives a message m from Alice, he wats to ow (Data origi autheticatio) whether the message was really set by Alice. (Data itegrity) whether the message has bee modified. Two solutios: Alice attaches a message autheticatio code (MAC) to the message (usig a symmetric ey to compute the MAC). Or she attaches a sigature to the message (usig a asymmetric ey to compute the sigature). 2

3 Basic idea of MAC Message autheticatio protocol: 1. Alice ad Bob share a secret ey. 2. To sed a message m, Alice computes a tag t : = MAC ( m) ( m t) ( ) ad seds, to Bob. 3. O receivig m, t, Bob checs whether t = MAC ( m ). If so, he accepts the message; otherwise, he rejects it. The tag t is called a message autheticatio code (MAC). Security requiremet: computatioally ifeasible to forge a valid pair ( x, MAC ( x)) without owig the ey. 3

4 MAC Scheme (formal defiitio) A MAC scheme is a triple ( Ge, Mac, Vrfy): Key geeratio algorithm: O iput 1, outputs a ey {0,1}. u Tag geeratio algorithm Mac : O iput a ey ad a message m M, Mac outputs a tag t. We write t Mac ( m). l( ) * ( M is the message space. Assume M = {0,1} or M = {0,1}.) Verificatio algorithm Vrfy : O iput a ey, a message m, ad a tag t, algorithm Vrfy outputs 1 (meaig valid) or 0 ( ivalid). Vrfy ( m, t) = 0 or 1. Ge, Mac are probabilistic algorithms. Vrfy is determiistic. Correctess requiremet: for every K ad m M, ( ) Vrfy m, Mac ( m) = 1. 4

5 Caoical verificatio (used whe Mac is determiistic): Vrfy ( m,) t 1 if Mac ( m) = t = 0 otherwise l( ) If {0,1}, the scheme is said to M = a fixed-le gth MAC scheme for messages of legth l ( ). Fixed-legth MAC schemes are easier to costruct. Geeral MAC schemes for M = fixed-legth schemes. be * {0,1} ca be costructed from 5

6 Chose-Message Attacs o MAC Schemes Experimet MAC-Forge ( ): A, Π 1. A ey G(1 ) is geerated. 2. The adversary A is give iput 1 ad oracle access to Mac ( ). A may as the oracle to compute tags for messages of its choice. Let Q be the set of all queries A has made to the oracle. 3. A evetually outputs a pair ( m, t). ( A tries to for ge a valid pair of message ad tag. ) 4. MAC-Forge A, Π ( ) = 1 ( A succeeds) if m Q ad Vrfy ( m, t) = 1. Remars: Adversary: a adaptive chose-message attacer. Forgery: a existetia l forgery. 6

7 MAC security: existetial uforgeability uder a adaptive chose-message attac Defiitio: A MAC scheme ( Ge, Mac, Vrfy) is existetially uforgeable uder a adaptive chose-message attac (or simply secure) if for all polyomial-time adversaries A, there exists a egligible fuctio egl or such that Pr MAC-Forge A, Π ( ) = 1 egl( ) ( Mac ( ) ( )) Pr Vrfy A 1 = 1 : u {0,1} egl( ) where the output of A, ( mt, ), satisfies m Q. 7

8 Strog MAC security If a MAC scheme is secure, the probability is egligible that Aca forge a valid ( mt, ) with m Q. However, it may be possible for A to forge a d ifferet valid tag t t for some message m Q, where t is the tag retured by the oracle o m. If o adversary is able to do so, the MAC scheme is strogly secure. To formally defie strog security, modify the experimet as follows: { } Let Q = ( mt, ) : m Q, tis the tag retured by the oracle o m. Asucceeds if a oly if it outputs a valid pair ( mt, ) Q. If MAC is determiistic, the "secure" "strogly secure". 8

9 Costructig secure MAC schemes Let F be a pseudoradom fuctio. We will use F to costruct secure MAC schemes i several steps. Secure fixed-leg th MAC schemes for messages of legt h Secure fixed-legth MAC schemes for messages of legth l ( ) Secure MAC schemes for arbitrary-legth messages For simplicity, assume message legth is a multiple of. (We ca always do paddig to mae this assumptio true.) 9

10 Secure MAC schemes for M = {0,1} Let F be a pseudoradom fuctio. Fixed-legth MAC scheme for messages of legth : Key geeratio: O iput 1, {0,1}. Tag geeratio: O iput {0,1} ad message m {0,1}, output the tag t: = F ( m). 1 if F ( m) = t Verificatio: O iput ( mt, ), Vrfy ( mt, ) : = 0 otherwise u Theorem: Such a MAC scheme is secure. 10

11 Basic CBC-MAC Let F be a pseudoradom fuctio. Basic CBC-MAC wors as follows: Key geeratio: {0,1}. u q Tag geeratio: For ey {0,1} ad message m {0,1}, parse m as m= ( m,, m ) // q blocs // apply CBC to m with IV = 0, i.e., let output t 1 t : = 0 ad t : = F ( m t ) for 1 i q 0 i i i 1 as the tag Verificatio: caoical q q Theorem: For ay fixed for messages of legth legth fuctio l, basic CBC-MAC is secure l ( ). 11

12 Remars It is importat that t ( IV ) is fixed, or the scheme would be isecure. 0 Also, the scheme would be isecure if message legth is variable. Suppose t : = Mac( m1m2 m3) ad t : = Mac( m4). Let m 4 be such that t m 4 = m4. The Mac ( m m m m ) = t IV = 0 12

13 CBC-MAC for arbitrary-legth messages A FIPS ad ISO stadard. There are several variats of CBC-MAC. Oe variat of CBC-MAC: Preped the message m with its legth m (as a -bit strig) ad the compute basic CBC-MAC o the result. Remars: There is a limitatio o m. It would be isecure if m is appeded to the ed of m. 13

14 14

15 Aother variat of CBC-MAC Geerate two eys, {0,1}. 1 2 To autheticate a message m, let the tag be ( ) t: = F basic-cbc-mac ( m). 2 1 u Oe may use oly oe ey ad geerate 1 2 : = F (1) ad : = F (2) 1 2, from : 15

16 Security of CBC-MAC (for arbitrary legth) Theorem: CBC-MAC is secure if F is a pseudoradom fuctio. I practice, bloc ciphers (such as DES, AES) are used. 16

17 Autheticated Ecryptio To esure both secrecy ad itegrity 17

18 Uforgeable ecryptio Experimet Ec-Forge ( ) : A, Π Ru Ge(1 ) to obtai a ey. The adversary A is give 1 ad access to oracle Ec ( ), ad outputs a ciphertext c. Let m : = Dec ( c). Let Q be the set of all messages that A has ased the oracle for ecryptio. The output of the experimet is 1 ( A succeeds) if ad oly if m is a valid message ( m M ) ad m Q. Defiitio: A ecryptio scheme Π= ( Ge, Ec, Dec) is if for every A, Pr Ec-Forge A, Π ( ) = 1 egl( ). uforgeable 18

19 Autheticated ecryptio scheme Defiitio: A symmetric-ey ecryptio scheme is a autheticated ecryptio scheme if it is CCA-secure ad uforgeable. We will costruct a autheticated ecryptio scheme from a CPA-secure ecryptio scheme ad a strogly secure MAC scheme. Three atural ways: Ecrypt ad autheticate (isecure) Autheticate the ecrypt (isecure) Ecrypt the autheticate (secure) I the followig slides, let m be a message, a ecryptio ey, ad M a MAC ey. E 19

20 Ecrypt ad Autheticate Seder: ecrypt ad autheticate m the ciphertext is ct, where idepedetly. That is, c Ec ( m), t Mac ( m) E Receiver: give ciphertext ct,, do Security: m Dec ( c), ad the chec if Vrfy ( m, t) = 1. Not ecessarily EAV-secure, sice t might lea ifo about m. If ot Mac E M is determiistic (e.g., CBC-MAC), the the scheme CPA-secure. M is 20

21 Autheticate the Ecrypt Seder: autheticate m first ad the ecrypt m ad the tag. Thus, the ciphertext is c computed as: t Mac ( m), c Ec ( m t) Receiver: give ciphertext c, do M m t Dec ( c) ad the chec if Vrfy ( m, t) = 1. A potetial attac: E Suppose PKCS#5 paddig is used. Suppose the receiver does: if the paddig is icorrect the elseif the tag is icorrect the E M retur a "bad paddig" error retur a "bad mac" error. The paddig attac ca be coducted to recover the etire m t. 21

22 Ecrypt the Autheticate Seder: ecrypt m first ad the autheticate the result. Thus, the ciphertext is c, t where c Ec ( m), t Mac ( c) E M Receiver: o receivig c, t, if Vrfy ( c, t) = 1 the m Dec ( c). M E Theorem: If the ecryptio scheme is CPA-secure ad the MAC scheme is strogly secure, the the ecryptio-the-autheticate costructio yields a autheticated ecryptio scheme. CPA-secure ecryptio + strogly secure MAC CCA-secure ad uforgeable ecryptio 22