Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

Similar documents
Message Authentication Codes (MACs) and Hashes

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Foundations of Network and Computer Security

Introduction to Cryptography

Foundations of Network and Computer Security

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Message Authentication Codes (MACs)

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

MESSAGE AUTHENTICATION 1/ 103

Online Cryptography Course. Block ciphers. What is a block cipher? Dan Boneh

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Modern Cryptography Lecture 4

Leftovers from Lecture 3

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Foundations of Network and Computer Security

BEYOND POST QUANTUM CRYPTOGRAPHY

New Proofs for NMAC and HMAC: Security without Collision-Resistance

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Message Authentication. Adam O Neill Based on

Security without Collision-Resistance

Dan Boneh. Stream ciphers. The One Time Pad

Solution of Exercise Sheet 7

Lecture 10: NMAC, HMAC and Number Theory

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

New Proofs for NMAC and HMAC: Security without Collision-Resistance

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Improved security analysis of OMAC

Lecture 10 - MAC s continued, hash & MAC

Introduction to Cryptography Lecture 4

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Fast and Secure CBC-Type MAC Algorithms

Week 12: Hash Functions and MAC

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Introduction to Information Security

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

ECS 189A Final Cryptography Spring 2011

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

Introduction to Cybersecurity Cryptography (Part 4)

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Introduction to Cybersecurity Cryptography (Part 4)

Efficient Message Authentication Codes with Combinatorial Group Testing

Digital Signatures. Adam O Neill based on

On the Security of CTR + CBC-MAC

ASYMMETRIC ENCRYPTION

A Pseudo-Random Encryption Mode

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

Perfectly-Crafted Swiss Army Knives in Theory

Authenticated Encryption Mode for Beyond the Birthday Bound Security

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Dan Boneh. Introduction. Course Overview

Multi-property-preserving Hash Domain Extension and the EMD Transform

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Message Authentication Codes from Unpredictable Block Ciphers

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Provable Security in Symmetric Key Cryptography

Message Authentication Codes from Unpredictable Block Ciphers

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 10: NMAC, HMAC and Number Theory

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

CS 6260 Applied Cryptography

A survey on quantum-secure cryptographic systems

2 Message authentication codes (MACs)

Improving the Security of MACs via Randomized Message Preprocessing

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

FRMAC, a Fast Randomized Message Authentication Code

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

SPCS Cryptography Homework 13

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Lecture 5, CPA Secure Encryption from PRFs

Analysis of Underlying Assumptions in NIST DRBGs

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Stronger Security Variants of GCM-SIV

New Attacks against Standardized MACs

On the Security of Hash Functions Employing Blockcipher Post-processing

A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs

Provable security. Michel Abdalla

Thanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation

Non- browser TLS Woes

Improved Security Analysis for OMAC as a Pseudo Random Function

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

CS 6260 Applied Cryptography

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

1 Cryptographic hash functions

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions

Transcription:

Online Cryptography Course Message integrity Message Auth. Codes

Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages.

Message integrity: MACs k Alice message m tag k Bob Generate tag: tag S(k, m) Verify tag:? V(k, m, tag) = `yes Def: MAC I = (S,V) defined over (K,M,T) is a pair of algs: S(k,m) outputs t in T V(k,m,t) outputs `yes or `no

Integrity requires a secret key Alice message m tag Bob Generate tag: tag CRC(m) Verify tag:? V(m, tag) = `yes ARacker can easily modify message m and re- compute CRC. CRC designed to detect random, not malicious errors.

Secure MACs ARacker s power: chosen message a?ack for m 1,m 2,,m q aracker is given t i S(k,m i ) ARacker s goal: existenaal forgery produce some new valid message/tag pair (m,t). (m,t) { (m 1,t 1 ),, (m q,t q ) } aracker cannot produce a valid tag for a new message given (m,t) aracker cannot even produce (m,t ) for t t

Secure MACs For a MAC I=(S,V) and adv. A define a MAC game as: Chal. k K b m 1 M t 1 S(k,m 1 ) (m,t) b=1 if V(k,m,t) = `yes and (m,t) { (m 1,t 1 ),, (m q,t q ) } b=0 otherwise m 2 t 2,, m q Adv.,, t q Def: I=(S,V) is a secure MAC if for all efficient A: Adv MAC [A,I] = Pr[Chal. outputs 1] is negligible.

Let I = (S,V) be a MAC. Suppose an aracker is able to find m 0 m 1 such that S(k, m 0 ) = S(k, m 1 ) for ½ of the keys k in K Can this MAC be secure? Yes, the aracker cannot generate a valid tag for m 0 or m 1 No, this MAC can be broken using a chosen msg arack It depends on the details of the MAC

Let I = (S,V) be a MAC. Suppose S(k,m) is always 5 bits long Can this MAC be secure? No, an aracker can simply guess the tag for messages It depends on the details of the MAC Yes, the aracker cannot generate a valid tag for any message

Example: protec>ng system files Suppose at install >me the system computes: filename filename filename F 1 F 2 F n k derived from user s password t 1 = S(k,F 1 ) t 2 = S(k,F 2 ) t n = S(k,F n ) Later a virus infects system and modifies system files User reboots into clean OS and supplies his password Then: secure MAC all modified files will be detected

End of Segment

Online Cryptography Course Message Integrity MACs based on PRFs

Review: Secure MACs MAC: signing alg. S(k,m) t and verifica>on alg. V(k,m,t) 0,1 ARacker s power: chosen message a?ack for m 1,m 2,,m q aracker is given t i S(k,m i ) ARacker s goal: existenaal forgery produce some new valid message/tag pair (m,t). (m,t) { (m 1,t 1 ),, (m q,t q ) } aracker cannot produce a valid tag for a new message

Secure PRF Secure MAC For a PRF F: K X Y define a MAC I F = (S,V) as: S(k,m) := F(k,m) V(k,m,t): output `yes if t = F(k,m) and `no otherwise. Alice message m tag Bob tag F(k,m) accept msg if tag = F(k,m)

A bad example Suppose F: K X Y is a secure PRF with Y = {0,1} 10 Is the derived MAC I F a secure MAC system? Yes, the MAC is secure because the PRF is secure No tags are too short: anyone can guess the tag for any msg It depends on the func>on F

Security Thm: If F: K X Y is a secure PRF and 1/ Y is negligible (i.e. Y is large) then I F is a secure MAC. In par>cular, for every eff. MAC adversary A aracking I F there exists an eff. PRF adversary B aracking F s.t.: Adv MAC [A, I F ] Adv PRF [B, F] + 1/ Y I F is secure as long as Y is large, say Y = 2 80.

Proof Sketch Suppose f: X Y is a truly random func>on Then MAC adversary A must win the following game: Chal. f in Funs[X,Y] m 1 X t 1 f(m 1 ) m 2,, m q f(m 2),, f(m q ) (m,t) Adv. A wins if t = f(m) and m { m 1,, m q } Pr[A wins] = 1/ Y same must hold for F(k,x)

Examples AES: a MAC for 16- byte messages. Main ques>on: how to convert Small- MAC into a Big- MAC? Two main construc>ons used in prac>ce: CBC- MAC (banking ANSI X9.9, X9.19, FIPS 186-3) HMAC (Internet protocols: SSL, IPsec, SSH, ) Both convert a small- PRF into a big- PRF.

Trunca>ng MACs based on PRFs Easy lemma: suppose F: K X {0,1} n is a secure PRF. Then so is F t (k,m) = F(k,m)[1 t] for all 1 t n if (S,V) is a MAC is based on a secure PRF outpuung n- bit tags the truncated MAC outpuung w bits is secure as long as 1/2 w is s>ll negligible (say w 64)

End of Segment

Online Cryptography Course Message Integrity CBC- MAC and NMAC

MACs and PRFs Recall: secure PRF F secure MAC, S(k, m) = F(k, m) as long as Y is large Our goal: given a PRF for short messages (AES) construct a PRF for long messages From here on let X = {0,1} n (e.g. n=128)

raw CBC Construc>on 1: encrypted CBC- MAC m[0] m[1] m[3] m[4] F(k, ) F(k, ) F(k, ) F(k, ) Let F: K X X be a PRP Define new PRF F ECBC : K 2 X L X F(k 1, ) tag

cascade Construc>on 2: NMAC (nested MAC) m[0] m[1] m[3] m[4] k F F F F > > > > t t ll fpad Let F: K X K be a PRF k 1 > F Define new PRF F NMAC : K 2 X L K tag

Why the last encryp>on step in ECBC- MAC and NMAC? NMAC: suppose we define a MAC I = (S,V) where S(k,m) = cascade(k, m) This MAC is secure This MAC can be forged without any chosen msg queries This MAC can be forged with one chosen msg query This MAC can be forged, but only with two msg queries

Why the last encryp>on step in ECBC- MAC? Suppose we define a MAC I RAW = (S,V) where S(k,m) = rawcbc(k,m) Then I RAW is easily broken using a 1- chosen msg arack. Adversary works as follows: Choose an arbitrary one- block message m X Request tag for m. Get t = F(k,m) Output t as MAC forgery for the 2- block message (m, t m) Indeed: rawcbc(k, (m, t m) ) = F(k, F(k,m) (t m) ) = F(k, t (t m) ) = t

ECBC- MAC and NMAC analysis Theorem: For any L>0, For every eff. q- query PRF adv. A aracking F ECBC or F NMAC there exists an eff. adversary B s.t.: Adv PRF [A, F ECBC ] Adv PRP [B, F] + 2 q 2 / X Adv PRF [A, F NMAC ] q L Adv PRF [B, F] + q 2 / 2 K CBC- MAC is secure as long as q << X 1/2 NMAC is secure as long as q << K 1/2 (2 64 for AES- 128)

An example Adv PRF [A, F ECBC ] Adv PRP [B, F] + 2 q 2 / X q = # messages MAC- ed with k Suppose we want Adv PRF [A, F ECBC ] 1/2 32 q 2 / X < 1/ 2 32 AES: X = 2 128 q < 2 48 So, acer 2 48 messages must, must change key 3DES: X = 2 64 q < 2 16

The security bounds are >ght: an arack Acer signing X 1/2 messages with ECBC- MAC or K 1/2 messages with NMAC the MACs become insecure Suppose the underlying PRF F is a PRP (e.g. AES) Then both PRFs (ECBC and NMAC) have the following extension property: x,y,w: F BIG (k, x) = F BIG (k, y) F BIG (k, xllw) = F BIG (k, yllw)

The security bounds are >ght: an arack Let F BIG : K X Y be a PRF that has the extension property F BIG (k, x) = F BIG (k, y) F BIG (k, xllw) = F BIG (k, yllw) Generic arack on the derived MAC: step 1: issue Y 1/2 message queries for rand. messages in X. obtain ( m i, t i ) for i = 1,, Y 1/2 step 2: find a collision t u = t v for u v (one exists w.h.p by b- day paradox) step 3: choose some w and query for t := F BIG (k, m u llw) step 4: output forgery (m v llw, t). Indeed t := F BIG (k, m v llw)

BeRer security: a rand. construc>on m 2 blocks k > rand. r in X rawcbc t r k 1 > rawcbc tag Let F: K X X be a PRF. Result: MAC with tags in X 2. Security: Adv MAC [A, I RCBC ] Adv PRP [B, F] (1 + 2 q 2 / X ) For 3DES: can sign q=2 32 msgs with one key

Comparison ECBC- MAC is commonly used as an AES- based MAC CCM encryp>on mode (used in 802.11i) NIST standard called CMAC NMAC not usually used with AES or 3DES Main reason: need to change AES key on every block requires re- compu>ng AES key expansion But NMAC is the basis for a popular MAC called HMAC (next)

End of Segment

Online Cryptography Course Message Integrity MAC padding

Recall: ECBC- MAC m[0] m[1] m[3] m[4] F(k, ) F(k, ) F(k, ) F(k, ) Let F: K X X be a PRP Define new PRF F ECBC : K 2 X L X F(k 1, ) tag

What if msg. len. is not mul>ple of block- size? m[0] m[1] m[3] m[4]??? F(k, ) F(k, ) F(k, ) F(k, ) F(k 1, ) tag

Bad idea: pad m with 0 s CBC MAC padding m[0] m[1] m[0] m[1] 0000 Is the resul>ng MAC secure? Yes, the MAC is secure It depends on the underlying MAC No, given tag on msg m aracker obtains tag on mll0 Problem: pad(m) = pad(mll0)

CBC MAC padding For security, padding must be inver>ble! m 0 m 1 pad(m 0 ) pad(m 1 ) ISO: pad with 1000 00. Add new dummy block if needed. The 1 indicates beginning of pad. m[0] m[1] m[0] m[1] 100 m [0] m [1] m [0] m [1] 1000 000

CMAC (NIST standard) Variant of CBC- MAC where key = (k, k 1, k 2 ) No final encryp>on step (extension arack thwarted by last keyed xor) No dummy block (ambiguity resolved by use of k 1 or k 2 ) m[0] m[1] m[w] 100 m[0] m[1] m[w] k 1 k 2 F(k, ) F(k, ) F(k, ) F(k, ) F(k, ) F(k, ) tag tag

End of Segment

Online Cryptography Course Message Integrity PMAC and Carter- Wegman MAC

ECBC and NMAC are sequen>al. Can we build a parallel MAC from a small PRF??

Construc>on 3: PMAC parallel MAC P(k, i): an easy to compute func>on key = (k, k 1 ) Padding similar to CMAC m[0] m[1] m[2] m[3] P(k,0) P(k,1) P(k,2) P(k,3) F(k 1, ) F(k 1, ) F(k 1, ) Let F: K X X be a PRF Define new PRF F PMAC : K 2 X L X F(k 1, ) tag

PMAC: Analysis PMAC Theorem: For any L>0, If F is a secure PRF over (K,X,X) then F PMAC is a secure PRF over (K, X L, X). For every eff. q- query PRF adv. A aracking F PMAC there exists an eff. PRF adversary B s.t.: Adv PRF [A, F PMAC ] Adv PRF [B, F] + 2 q 2 L 2 / X PMAC is secure as long as ql << X 1/2

Suppose F is a PRP. PMAC is incremental When m[1] m [1] can we quickly update tag? no, it can t be done m[0] m[1] m[3] m[4] P(k,0) P(k,1) P(k,2) P(k,3) F(k 1, ) F(k 1, ) F(k 1, ) do F - 1 (k 1,tag) F(k 1, m [1] P(k,1)) do F - 1 (k 1,tag) F(k 1, m[1] P(k,1)) F(k 1, m [1] P(k,1)) do tag F(k 1, m[1] P(k,1)) F(k 1, m [1] P(k,1)) Then apply F(k 1, ) F(k 1, ) tag

One >me MAC (analog of one >me pad) For a MAC I=(S,V) and adv. A define a MAC game as: Chal. k K b m 1 M t 1 S(k,m 1 ) (m,t) b=1 if V(k,m,t) = `yes and (m,t) (m 1,t 1 ) b=0 otherwise Adv. Def: I=(S,V) is a secure MAC if for all efficient A: Adv 1MAC [A,I] = Pr[Chal. outputs 1] is negligible.

One- >me MAC: an example Can be secure against all adversaries and faster than PRF- based MACs Let q be a large prime (e.g. q = 2 128 +51 ) key = (a, b) {1,,q} 2 (two random ints. in [1,q] ) msg = ( m[1],, m[l] ) where each block is 128 bit int. S( key, msg ) = P msg (a) + b (mod q) where P msg (x) = x L+1 + m[l] x L + + m[1] x is a poly. of deg L+1 We show: given S( key, msg 1 ) adv. has no info about S( key, msg 2 )

One- >me security (uncondi>onal) Thm: the one- >me MAC on the previous slide sa>sfies (L=msg- len) m 1 m 2,t 1,t 2 : Pr a,b [ S( (a,b), m 1 ) = t 1 S( (a,b), m 2 ) = t 2 ] L/q Proof: m 1 m 2, t 1, t 2 : (1) Pr [ a,b S( (a,b), m 2 ) = t ] 2 = Pr a,b [P m2 (a)+b=t ] 2 = 1/q (2) Pr [ a,b S( (a,b), m 1 ) = t 1 and S( (a,b), m 2 ) = t ] 2 = Pr a,b [ P m1 (a)- P m2 (a)=t 1 - t 2 and P m2 (a)+b=t 2 ] L/q 2 given valid (m 2,t 2 ), adv. outputs (m 1,t 1 ) and is right with prob. L/q

One- >me MAC Many- >me MAC Let (S,V) be a secure one- >me MAC over (K I,M, {0,1} n ). Let F: K F {0,1} n {0,1} n be a secure PRF. Carter- Wegman MAC: CW( (k 1,k 2 ), m) = (r, F(k 1,r) S(k 2,m) ) for random r {0,1} n. slow but short inp fast long inp Thm: If (S,V) is a secure one- Ame MAC and F a secure PRF then CW is a secure MAC outpuung tags in {0,1} 2n.

CW( (k 1,k 2 ), m) = (r, F(k 1,r) S(k 2,m) ) How would you verify a CW tag (r, t) on message m? Recall that V(k 2,m,.) is the verifica>on alg. for the one >me MAC. Run V( k 2, m, F(k 1, t) r) ) Run V( k 2, m, r ) Run V( k 2, m, t ) Run V( k 2, m, F(k 1, r) t) )

Construc>on 4: HMAC (Hash- MAC) Most widely used MAC on the Internet. but, we first we need to discuss hash func>on.

Further reading J. Black, P. Rogaway: CBC MACs for Arbitrary- Length Messages: The Three- Key Construc>ons. J. Cryptology 18(2): 111-131 (2005) K. Pietrzak: A Tight Bound for EMAC. ICALP (2) 2006: 168-179 J. Black, P. Rogaway: A Block- Cipher Mode of Opera>on for Parallelizable Message Authen>ca>on. EUROCRYPT 2002: 384-397 M. Bellare: New Proofs for NMAC and HMAC: Security Without Collision- Resistance. CRYPTO 2006: 602-619 Y. Dodis, K. Pietrzak, P. Puniya: A New Mode of Opera>on for Block Ciphers and Length- Preserving MACs. EUROCRYPT 2008: 198-219

End of Segment

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback