Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

Similar documents
Authenticated Encryption Mode for Beyond the Birthday Bound Security

New Attacks against Standardized MACs

Stronger Security Variants of GCM-SIV

CTR mode of operation

Solution of Exercise Sheet 7

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Block Ciphers/Pseudorandom Permutations

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

On the Influence of Message Length in PMAC s Security Bounds

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Efficient Message Authentication Codes with Combinatorial Group Testing

Lecture 9 - Symmetric Encryption

EME : extending EME to handle arbitrary-length messages with associated data

2 Message authentication codes (MACs)

Stronger Security Variants of GCM-SIV

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

Topics. Probability Theory. Perfect Secrecy. Information Theory

Symmetric Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Further More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Improved Security Analysis for OMAC as a Pseudo Random Function

On the Security of CTR + CBC-MAC

Modern Cryptography Lecture 4

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Foundations of Network and Computer Security

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication

Foundations of Network and Computer Security

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

MESSAGE AUTHENTICATION 1/ 103

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

AES-OTR v3. Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address:

On the Counter Collision Probability of GCM*

Notes for Lecture 9. 1 Combining Encryption and Authentication

Fast and Secure CBC-Type MAC Algorithms

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Message Authentication. Adam O Neill Based on

Leftovers from Lecture 3

ECS 189A Final Cryptography Spring 2011

Foundations of Network and Computer Security

Characterization of EME with Linear Mixing

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Quantum Differential and Linear Cryptanalysis

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

CS 6260 Applied Cryptography

Chapter 2 : Perfectly-Secret Encryption

Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

OMAC: One-Key CBC MAC

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

CPA-Security. Definition: A private-key encryption scheme

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 10: NMAC, HMAC and Number Theory

Lecture 7: CPA Security, MACs, OWFs

Message Authentication Codes (MACs) and Hashes

Tweakable Blockciphers with Beyond Birthday-Bound Security

5199/IOC5063 Theory of Cryptology, 2014 Fall

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

A survey on quantum-secure cryptographic systems

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

Lecture 18: Message Authentication Codes & Digital Signa

EasyChair Preprint. Formal Security Proof of CMAC and its Variants

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Introduction to Cryptography

Lecture 10 - MAC s continued, hash & MAC

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

Lecture 4: DES and block ciphers

Authentication. Chapter Message Authentication

Modes of Operations for Wide-Block Encryption

A block cipher enciphers each block with the same key.

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Question: Total Points: Score:

An introduction to Hash functions

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Introduction to Cybersecurity Cryptography (Part 4)

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

1 Number Theory Basics

An Introduction to Authenticated Encryption. Palash Sarkar

Introduction to Cybersecurity Cryptography (Part 4)

The Security of Abreast-DM in the Ideal Cipher Model

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC

Lecture 10: NMAC, HMAC and Number Theory

III. Pseudorandom functions & encryption

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World. Dan Boneh and Mark Zhandry Stanford University

Introduction to Cryptography Lecture 4

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

GCM Security Bounds Reconsidered

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Transcription:

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1

Overview ANSI X9.24 1:2009, Annex C specifies the key check value ISO/IEC 9797 1:2011, Annex C specifies a total of ten variants of CBC MAC We derive the quantitative impact of using the key check value on the security of ISO/IEC 9797 1:2011 CBC MACs 2

CBC MAC M = (M[1], M[2],..., M[m]): input message, T: tag Fixed Input Length PRF if E is a PRP [BKR 94, BPR 05] Provably implies that it is a secure MAC (over fixed length messages) It allows forgery attacks for variable length messages 3

Length Extension Attack on CBC MAC Given (M[1], M[2], M[3]) and T, (M[1], M[2], M[3], M[1] xor T, M[2], M[3]) and T is a valid (message, tag) pair 4

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC1.1 basic CBC MAC MAC1.2 CBC MAC w/ prefix free padding 5

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC2.1 EMAC w/ a related key, K = K xor 0xf0f0... f0 MAC2.2 EMAC w/ two independent keys MAC3 ANSI retail MAC, two independent keys 6

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC4.1 MacDES, K = K xor 0xf0f0... f0 MAC4.2 MacDES w/ the same K and prefix free padding K and K are two independent keys 7

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC5 CMAC 8

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC6.1 FCBC w/ a key derivation function MAC6.2 FCBC w/ two independent keys 9

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC1.1 a basic CBC MAC MAC1.2 CBC MAC w/ prefix free padding MAC2.1 EMAC w/ a related key, K = K xor 0xf0f0... f0 MAC2.2 EMAC w/ two independent keys MAC3 ANSI retail MAC MAC4.1 MacDES, K = K xor 0xf0f0... f0 MAC4.2 MacDES w/ the same K and prefix free padding MAC5 CMAC MAC6.1 FCBC w/ a key derivation function MAC6.2 FCBC w/ two independent keys 10

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC1.1 a basic CBC MAC MAC1.2 CBC MAC w/ prefix free padding MAC2.1 EMAC w/ a related key, K = K xor 0xf0f0... f0 MAC2.2 EMAC w/ two independent keys MAC3 ANSI retail MAC MAC4.1 MacDES, K = K xor 0xf0f0... f0 MAC4.2 MacDES w/ the same K and prefix free padding MAC5 CMAC uses E K (0 n ) MAC6.1 FCBC w/ a key derivation also used function in OCB, MAC6.2 FCBC w/ two independent PMAC, GCM, keys... 11

ANSI X9.24 1:2009 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques specifies the management of keying material used for financial services POS transactions, transactions in banking systems,... 12

Key Check Value ANSI X9.24 1:2009, Annex C: The optional check values, as mentioned in notes 2 and 3 above, are the left most six hexadecimal digits from the ciphertext produced by using the DEA in ECB mode to encrypt to 64 bit binary zero value with the subject key or key component. The check value process may be simplified operationally, while still retaining reliability, by limiting the check value to the left most four or six hexadecimal digits of the ciphertext. (Using the truncated check value may provide additional security in that the ciphertext which could be used for exhaustive key determination would be unavailable.) 13

Key Check Value KCV = msb(s, E K (0 n )) s = 16 or 24 (for n = 64), defined only for DES and Triple DES used as the ID for the key K in financial services inherently public data, as it is used for verification transmitted, sent, or stored in clear the adversary may learn this value special case of leakage of the internal state CMAC uses E K (0 n ) CMAC has a proof of security, but the proof does not take KCV into account What is the impact on the security of the use of KCV? 14

Case s = n, MAC5 (CMAC) KCV = msb(s, E K (0 n )) E K (0 n )is known, then L = 2 E K (0 n )and 2 L are known reduces to CBC MAC length extension attack 15

Case s = n, MAC2.1 (EMAC) K is the key, K = K xor 0xf0f0... f0 KCV = E K (0 n ) 16

Case s < n, MAC5 (CMAC) Trivial attack: guess the missing n s bits of E K (0 n ) and try the lengthextension attack Pr[success] = 1/2 n s 17

Case s < n, MAC5 (CMAC) Birthday attack, similar to [Knudsen, 97] ask 2 (n s)/2 different M[1] s and 2 (n s)/2 different (0 n, M[2]) s with a high probability, T = T distinguishing attack with O(2 (n s)/2 ) queries E K (0 n )(= M[1] xor M[2]) is known, length extension attack 18

Case s < n, MAC2.1 (EMAC) The same attack can be used ask 2 (n s)/2 different M[1] s and 2 (n s)/2 different (0 n, M[2]) s with a high probability, T = T distinguishing attack with O(2 (n s)/2 ) queries E K (0 n )(= M[1] xor M[2]) is known, forgery attack 19

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC1.1 O(1): folklore MAC1.2 MAC2.1 O(2 (n s)/2 ) MAC2.2 MAC3 MAC4.1 MAC4.2 MAC5 O(2 (n s)/2 ) MAC6.1 MAC6.2 20

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC1.1 O(1): folklore MAC1.2 MAC2.1 O(2 (n s)/2 ) MAC2.2 O(2 (n s)/2 ) MAC3 O(2 (n s)/2 ) MAC4.1 MAC4.2 MAC5 O(2 (n s)/2 ) MAC6.1 MAC6.2 O(2 (n s)/2 ) The same attack applies 21

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC1.1 O(1): folklore MAC1.2 O(2 n/2 ) MAC2.1 O(2 (n s)/2 ) MAC2.2 O(2 (n s)/2 ) MAC3 O(2 (n s)/2 ) MAC4.1 O(2 n/2 ) MAC4.2 O(2 n/2 ) MAC5 O(2 (n s)/2 ) MAC6.1 O(2 n/2 ) MAC6.2 O(2 (n s)/2 ) Attacks with the birthday complexity are known [ISO/IEC 9797 1, PO99] 22

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC1.1 O(1): folklore MAC1.2 O(2 n/2 ) MAC2.1 O(2 (n s)/2 ) MAC2.2 O(2 (n s)/2 ) MAC3 O(2 (n s)/2 ) MAC4.1 O(2 n/2 ) MAC4.2 O(2 n/2 ) MAC5 O(2 (n s)/2 ) MAC6.1 O(2 n/2 ) MAC6.2 O(2 (n s)/2 ) Can we improve these attacks? 23

CBC MAC Variants in ISO/IEC 9797 1:2011 MAC1.1 O(1): folklore MAC1.2 O(2 n/2 ) MAC2.1 O(2 (n s)/2 ) MAC2.2 O(2 (n s)/2 ) MAC3 O(2 (n s)/2 ) MAC4.1 O(2 n/2 ) MAC4.2 O(2 n/2 ) MAC5 O(2 (n s)/2 ) MAC6.1 O(2 n/2 ) MAC6.2 O(2 (n s)/2 ) Can we improve these attacks? No, we cannot 24

Provable Security Results PRF KCV: a variant of PRF notion that captures KCV The adversary is given KCV Then the adversary is asked to distinguish between the MAC oracle and the random oracle Let M K1,..., Kw be a MAC based on E: {0,1} k {0,1} n > {0,1} n the key space is ({0,1} k ) w for some integer w > 0, and uses (K 1,..., K w ) as a key KCV = (msb(s, E K1 (0 n )),..., msb(s, E Kw (0 n ))) 25

Theorem 26

Theorem MAC attack bound assumption MAC1.2 O(2 n/2 ) O( 2 /2 n ) PRP MAC2.1 O(2 (n s)/2 ) O( 2 /2 n s ) PRP RKA MAC2.2 O(2 (n s)/2 ) O( 2 /2 n s ) PRP MAC3 O(2 (n s)/2 ) O( 2 /2 n s ) SPRP MAC4.1 O(2 n/2 ) O( 2 /2 n ) PRP RKA MAC4.2 O(2 n/2 ) O( 2 /2 n ) PRP RKA MAC5 O(2 (n s)/2 ) O( 2 /2 n s ) PRP MAC6.1 O(2 n/2 ) O( 2 /2 n ) PRP MAC6.2 O(2 (n s)/2 ) O( 2 /2 n s ) PRP 27

Theorem MAC attack bound assumption MAC1.2 O(2 n/2 ) O( 2 /2 n ) PRP MAC2.1 O(2 (n s)/2 ) O( 2 /2 n s ) PRP RKA MAC2.2 O(2 (n s)/2 ) O( 2 /2 n s ) PRP MAC3 O(2 (n s)/2 ) O( 2 /2 n s ) SPRP MAC4.1 O(2 n/2 ) O( 2 /2 n ) PRP RKA MAC4.2 O(2 n/2 ) O( 2 /2 n ) PRP RKA MAC5 O(2 (n s)/2 ) O( 2 /2 n s ) PRP MAC6.1 O(2 n/2 ) O( 2 /2 n ) PRP MAC6.2 O(2 (n s)/2 ) O( 2 /2 n s ) PRP obtained a complete quantitative characterization of using KCV on ISO/IEC 9797 1:2011 MACs 28

Theorem MAC attack bound assumption MAC1.2 O(2 n/2 ) O( 2 /2 n ) PRP MAC2.1 O(2 (n s)/2 ) O( 2 /2 n s ) PRP RKA MAC2.2 O(2 (n s)/2 ) O( 2 /2 n s ) PRP MAC3 O(2 (n s)/2 ) O( 2 /2 n s ) SPRP MAC4.1 O(2 n/2 ) O( 2 /2 n ) PRP RKA MAC4.2 O(2 n/2 ) O( 2 /2 n ) PRP RKA MAC5 O(2 (n s)/2 ) O( 2 /2 n s ) PRP MAC6.1 O(2 n/2 ) O( 2 /2 n ) PRP MAC6.2 O(2 (n s)/2 ) O( 2 /2 n s ) PRP obtained a complete quantitative characterization of using KCV on ISO/IEC 9797 1:2011 MACs 29

Example: MAC6.1 FCBC w/ a key derivation function KCV = msb(s, E K (0 n )) (K, K ) < KD(K) when k = n, K = E K (0 n 1 1) and K = E K (0 n 2 10) KCV, K, and K are random and independent if E is a PRP 30

Implication The use of KCV in these MACs does not result in total security loss security is lost by s/2 bits in some cases, and there is almost no security loss in other cases The impact is limited in practice if s is not large say 16 bits or 24 bits as suggested in ANSI X9.24 1:2009 31

Implication for n = 64, if s = 0, then the best attack needs 2 32 if s = 16 2 24 if s = 24 2 20 for n = 128 (not defined in ANSI X9.24, Annex C), if s = 0, then the best attack needs 2 64 if s = 16 2 56 if s = 24 2 52 if s = 32 2 48 if s = 48 2 40 can still be used in practice (depending on applications) 32

Possible Fixes Option 1: Always use the key derivation function of MAC6.1 even if the MAC uses one key KCV = msb(s, E K (0 n )) K < KD(K), when k = n, K = E K (0 n 1 1) use K in the MAC computation KCV and K are random and independent if E is a PRP 33

Possible Fixes Option 1: Always use the key derivation function of MAC6.1 even if the MAC uses one key KCV = msb(s, E K (0 n )) K < KD(K), when k = n, K = E K (0 n 1 1) use K in the MAC computation KCV and K are random and independent if E is a PRP Two more options in the paper based on the theory of a tweakable blockcipher removes the key scheduling process 34

Conclusions We analyzed the impact of using the key check value on the security of ISO/IEC 9797 1:2011 CBC MACs obtained a complete quantitative characterization the impact is limited in practice (if s is not very large) suggested possible fixes In general, KCV affects the security of blockcipher modes Question: impact on other modes? OCB, PMAC, GCM, and MAC5 and MAC6 in older version of ISO/IEC 9797 1: 1999 35

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback