Message Authentication Codes (MACs)

Transcription

1 Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, / 22

2 About Me 2 / 22

3 About Me Tung Chou (Tony) 2 / 22

4 About Me Tung Chou (Tony) Ph.D. student of Daniel J. Bernstein & Tanja Lange 2 / 22

5 About Me Tung Chou (Tony) Ph.D. student of Daniel J. Bernstein & Tanja Lange Research topics: Post-quantum crypto, ECC, MAC design. 2 / 22

6 About Me Tung Chou (Tony) Ph.D. student of Daniel J. Bernstein & Tanja Lange Research topics: Post-quantum crypto, ECC, MAC design. 2 / 22

7 Outline 3 / 22

8 Outline Introduction 3 / 22

9 Outline Introduction HMAC 3 / 22

10 Outline Introduction HMAC Universal-hash based MACs Poly1305 security issues software implementation issues 3 / 22

11 Outline Introduction HMAC Universal-hash based MACs Poly1305 security issues software implementation issues Diffie Hellman key exchange 3 / 22

12 What are MACs? 4 / 22

13 What are MACs? On Wikipedia: a message authentication code (often MAC) is a short piece of information used to authenticate a message and to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message s origin 4 / 22

14 Digital Signatures 5 / 22

15 Digital Signatures Construction: sk message (m) hash h TP signature (s) pk 5 / 22

16 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) pk 5 / 22

17 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). pk 5 / 22

18 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). pk 5 / 22

19 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). V computes and check hash(m ) = VERIFY pk (s ). pk 5 / 22

20 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). V computes and check hash(m ) = VERIFY pk (s ). pk Security 5 / 22

21 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). V computes and check hash(m ) = VERIFY pk (s ). pk Security attacker should not be able to forge a valid (m, s) pair 5 / 22

22 Digital Signatures Construction: sk Usage: message (m) hash h TP signature (s) S computes h and the SIGN sk (h). S sends (m, s). V gets (m, s ). V computes and check hash(m ) = VERIFY pk (s ). pk Security attacker should not be able to forge a valid (m, s) pair attacker might have collected many (m, s) pairs 5 / 22

23 Message Authentication Codes 6 / 22

24 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) 6 / 22

25 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: 6 / 22

26 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). 6 / 22

27 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). 6 / 22

28 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). R computes and checks MAC r (m ) = t. 6 / 22

29 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). R computes and checks MAC r (m ) = t. Security 6 / 22

30 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). R computes and checks MAC r (m ) = t. Security attacker should not be able to forge a valid (m, t) pair 6 / 22

31 Message Authentication Codes Keyed hash function : message (m) MAC algorithm tag/authenticator (t) shared secret key (r) Usage: S computes t = MAC r (m) and sends (m, t). R gets (m, t ). R computes and checks MAC r (m ) = t. Security attacker should not be able to forge a valid (m, t) pair attacker might have collected many (m, t) pairs 6 / 22

32 MACs vs Signatures 7 / 22

33 MACs vs Signatures MACs Signatures Integrity yes yes Authenticity yes yes Non-repudiation no yes Key secret-key public-key 7 / 22

34 MACs vs Signatures MACs Signatures Integrity yes yes Authenticity yes yes Non-repudiation no yes Key secret-key public-key Non-repudiation is about Alice showing to Bob a proof that some data really comes from Alice, such that not only Bob is convinced, but Bob also gets the assurance that he could show the same proof to Charlie, and Charlie would be convinced, too 7 / 22

35 MACs vs Signatures MACs Signatures Integrity yes yes Authenticity yes yes Non-repudiation no yes Key secret-key public-key Non-repudiation is about Alice showing to Bob a proof that some data really comes from Alice, such that not only Bob is convinced, but Bob also gets the assurance that he could show the same proof to Charlie, and Charlie would be convinced, too secret-key crypto is fast 7 / 22

36 HMAC 8 / 22

37 HMAC Build MAC from hash functions 8 / 22

38 HMAC Build MAC from hash functions A naive construction: t = H(r m) 8 / 22

39 HMAC Build MAC from hash functions A naive construction: t = H(r m) Merkle Damgård construction based hashes (e.g., MD5, SHA1) m 1 m 2 m l IV f f f h 8 / 22

40 HMAC Build MAC from hash functions A naive construction: t = H(r m) Merkle Damgård construction based hashes (e.g., MD5, SHA1) m 1 m 2 m l IV f f f h Length extension attack: h = f(h, m l+1 ) 8 / 22

41 HMAC (cont.) 9 / 22

42 HMAC (cont.) Another construction: t = H(m r) 9 / 22

43 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) 9 / 22

44 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) HMAC-SHA1 9 / 22

45 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) HMAC-SHA1 widely used in Internet applications 9 / 22

46 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) HMAC-SHA1 widely used in Internet applications 5.18 Sandy Bridge cycles/byte 9 / 22

47 HMAC (cont.) Another construction: t = H(m r) HMAC: t = H ((r p o ) H((r p i ) m)) HMAC-SHA1 widely used in Internet applications 5.18 Sandy Bridge cycles/byte Reality: the most commonly used scheme might not be the best 9 / 22

48 SHA3 The Sponge construction: 10 / 22

49 The Wegman Carter construction 11 / 22

50 The Wegman Carter construction Why? 11 / 22

51 The Wegman Carter construction Why? provides information theoretic security 11 / 22

52 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic 11 / 22

53 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC 11 / 22

54 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC 11 / 22

55 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC Construction 11 / 22

56 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC Construction universal hash function + one-time pad: h r (m n ) s n 11 / 22

57 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC Construction universal hash function + one-time pad: h r (m n ) s n universal hash: low differential probability 11 / 22

58 The Wegman Carter construction Why? provides information theoretic security usually involves field/ring arithmetic better performance than HMAC Construction universal hash function + one-time pad: h r (m n ) s n universal hash: low differential probability one-time pad hides all information about the key 11 / 22

59 Poly / 22

60 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod / 22

61 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values 12 / 22

62 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values m i<l is the ith 128-bit block of m padded by 1. m l is the remainder of m padded by / 22

63 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values m i<l is the ith 128-bit block of m padded by 1. m l is the remainder of m padded by 1. Without proper padding? 12 / 22

64 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values m i<l is the ith 128-bit block of m padded by 1. m l is the remainder of m padded by 1. Without proper padding? m = FF, m = FF, 00 zero-pad the message obtain a 128-bit block m 1 = m 1 = FF, 00,..., / 22

65 Poly1305 Construction: t = (((m 1 r l +m 2 r l 1 + +m l r) mod )+s) mod is a prime r, s are shared secret 128-bit values m i<l is the ith 128-bit block of m padded by 1. m l is the remainder of m padded by 1. Without proper padding? m = FF, m = FF, 00 zero-pad the message obtain a 128-bit block m 1 = m 1 = FF, 00,..., 00 Speed: 1.22 Sandy Bridge cycles/byte 12 / 22

66 Poly1305: avoiding security issue 13 / 22

67 Poly1305: avoiding security issue What is wrong with real polynomial evaluation? t = m 1 r l 1 + m 2 r l m l + s 13 / 22

68 Poly1305: avoiding security issue What is wrong with real polynomial evaluation? t = m 1 r l 1 + m 2 r l m l + s The attacker forges a valid message tag pair easily: t + = m 1 r l 1 + m 2 r l (m l + ) + s 13 / 22

69 Poly1305: avoiding security issue What is wrong with real polynomial evaluation? t = m 1 r l 1 + m 2 r l m l + s The attacker forges a valid message tag pair easily: t + = m 1 r l 1 + m 2 r l (m l + ) + s This does not provide low differential probability 13 / 22

70 Poly1305: avoiding security issue 14 / 22

71 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s 14 / 22

72 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s The attacker gets information of r by finding roots of t t = (m 1 m 1)r l + (m 2 m 2)r l (m l m l )r 14 / 22

73 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s The attacker gets information of r by finding roots of t t = (m 1 m 1)r l + (m 2 m 2)r l (m l m l )r nonce-misuse issue 14 / 22

74 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s The attacker gets information of r by finding roots of t t = (m 1 m 1)r l + (m 2 m 2)r l (m l m l )r nonce-misuse issue In practice s is usually replaced by stream cipher output, e.g., AES k (n) for m n 14 / 22

75 Poly1305: avoiding security issue What is wrong with using the same pad twice? t = m 1 r l + m 2 r l m l r + s t = m 1r l + m 2r l m l r + s The attacker gets information of r by finding roots of t t = (m 1 m 1)r l + (m 2 m 2)r l (m l m l )r nonce-misuse issue In practice s is usually replaced by stream cipher output, e.g., AES k (n) for m n HMAC does not use nonce 14 / 22

76 Poly1305: polynomial evaluation 15 / 22

77 Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r m 8 r 15 / 22

78 Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r m 8 r Horner s rule: r m 1 m 2 m 3 m 4 m 5 m 6 m 7 m / 22

79 Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r m 8 r Horner s rule: r m 1 m 2 m 3 m 4 m 5 m 6 m 7 m n multiplications (and n 1 additions) 15 / 22

80 Poly1305: polynomial evaluation Consider m 1 r 8 + m 2 r m 8 r Horner s rule: r m 1 m 2 m 3 m 4 m 5 m 6 m 7 m n multiplications (and n 1 additions) The issue of being on-line 15 / 22

81 GMAC 16 / 22

82 GMAC The NIST-standard authenticated encryption scheme GCM 16 / 22

83 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode 16 / 22

84 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode Special hardware support for AES-GCM in high-end CPUs 16 / 22

85 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode Special hardware support for AES-GCM in high-end CPUs Polynomial evaluation MAC: t = (m 1 r l + m 2 r l m l r) + s 16 / 22

86 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode Special hardware support for AES-GCM in high-end CPUs Polynomial evaluation MAC: t = (m 1 r l + m 2 r l m l r) + s Based on arithmetic in F = F 2 [x]/(x x 7 + x 2 + x + 1) 16 / 22

87 GMAC The NIST-standard authenticated encryption scheme GCM Galois Counter Mode Special hardware support for AES-GCM in high-end CPUs Polynomial evaluation MAC: t = (m 1 r l + m 2 r l m l r) + s Based on arithmetic in F = F 2 [x]/(x x 7 + x 2 + x + 1) Binary fields: better in hardware 16 / 22

88 GCM 17 / 22

89 GMAC: speeds reference platform PCLMUQDQ cycles per byte Käsper Schwabe 2009 Core 2 no Sandy Bridge no Krovetz Rogaway 2011 Westmere yes 2.00 Gueron 2013 Sandy Bridge yes 1.79 Haswell yes / 22

90 Auth / 22

91 Auth256 Construction 19 / 22

92 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s 19 / 22

93 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F / 22

94 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC 19 / 22

95 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC higher security level 19 / 22

96 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC higher security level 0.5/1 multiplications per block 19 / 22

97 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC higher security level 0.5/1 multiplications per block larger key size 19 / 22

98 Auth256 Construction a pseudo-dot-product MAC: t = (m 1 + r 1 )(m 2 + r 2 ) + (m 3 + r 3 )(m 4 + r 4 ) + + s base field F = F 2 8[x]/(φ). Tower field construction for F 2 8. Compared to GMAC higher security level 0.5/1 multiplications per block larger key size very different field construction for low bit operation count 19 / 22

99 Wegman Carter construction: security δ-xor-universal hash : For all distinct (m, m ) and, we have P r ( Hash r (m) = Hash r (m ) ) δ 20 / 22

100 Wegman Carter construction: security δ-xor-universal hash : For all distinct (m, m ) and, we have P r ( Hash r (m) = Hash r (m ) ) δ The one-time pad hides all information about the key r. The best strategy for the attacker is to guess. 20 / 22

101 Auth256: Security Proof Hash values: h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ), h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ). 21 / 22

102 Auth256: Security Proof Hash values: h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ), h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ). Then h = h + if and only if r 1(m 2 m 2) + r 2(m 1 m 1) + r 3(m 4 m 4) + r 4(m 3 m 3) + = + m 1m 2 m 1m 2 + m 3m 4 m 3m / 22

103 Auth256: Security Proof Hash values: h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ), h =(m 1 + r 1)(m 2 + r 2) + (m 3 + r 3)(m 4 + r 4) + + (m 2l 1 + r 2l 1 )(m 2l + r 2l ). Then h = h + if and only if r 1(m 2 m 2) + r 2(m 1 m 1) + r 3(m 4 m 4) + r 4(m 3 m 3) + = + m 1m 2 m 1m 2 + m 3m 4 m 3m 4 +. m m implies that there are at most K 2l 1 solutions for r. 21 / 22

104 CBC-MAC 22 / 22