Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Slides:



Advertisements
Similar presentations
ElGamal Security Public key encryption from Diffie-Hellman
Advertisements

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Trusted 3rd parties Basic key exchange
Lecture 5: Cryptographic Hashes
Online Cryptography Course Dan Boneh
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Digital Signatures and Hash Functions. Digital Signatures.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
Cryptography for Backup Navigation
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Dan Boneh Basic key exchange The Diffie-Hellman protocol Online Cryptography Course Dan Boneh.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.
Dan Boneh Intro. Number Theory Intractable problems Online Cryptography Course Dan Boneh.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh.
Sorting Out Digital Certificates Bill blog.codingoutloud.com ··· Boston Azure ··· 13·Dec·2012 ···
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
8. Data Integrity Techniques
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Dan Boneh Public key encryption from Diffie-Hellman The ElGamal Public-key System Online Cryptography Course Dan Boneh.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Dan Boneh Block ciphers More attacks on block ciphers Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations PKCS 1 Online Cryptography Course Dan Boneh.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Dan Boneh Using block ciphers Modes of operation: many time key (CBC) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same.
Dan Boneh Stream ciphers Pseudorandom Generators Online Cryptography Course Dan Boneh.
Dan Boneh Collision resistance Introduction Online Cryptography Course Dan Boneh.
Csci5233 computer security & integrity 1 Cryptography: an overview.
Dan Boneh Message Integrity CBC-MAC and NMAC Online Cryptography Course Dan Boneh.
Odds and ends Tweakable encryption
Prepared by Dr. Lamiaa Elshenawy
Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions.
Cryptography: Review Day David Brumley Carnegie Mellon University.
Template vertLeftWhite2 Authenticated Encryption Attacking non-atomic decryption Online Cryptography Course Dan Boneh.
Dan Boneh Stream ciphers Stream ciphers are semantically secure Online Cryptography Course Dan Boneh Goal: secure PRG ⇒ semantically secure stream cipher.
Presentation Road Map 1 Authenticated Encryption 2 Message Authentication Code (MAC) 3 Authencryption and its Application Objective Modes of Operation.
Dan Boneh Basic key exchange Trusted 3 rd parties Online Cryptography Course Dan Boneh.
Dan Boneh Introduction Course Overview Online Cryptography Course Dan Boneh.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Dan Boneh Collision resistance The Merkle-Damgard Paradigm Online Cryptography Course Dan Boneh.
Dan Boneh Stream ciphers PRG Security Defs Online Cryptography Course Dan Boneh.
Dan Boneh Intro. Number Theory Fermat and Euler Online Cryptography Course Dan Boneh.
Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
Dan Boneh Collision resistance Timing attacks on MAC verification Online Cryptography Course Dan Boneh.
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Cryptography: an overview
Cryptography: an overview
Cryptographic Hash Functions
Authenticated encryption
Cryptographic Hash Functions
B504/I538: Introduction to Cryptography
PRPs and PRFs CS255: Winter 2017
Cryptography: an overview
Topic 13: Message Authentication Code
Presentation transcript:

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh

Dan Boneh Message Integrity Goal: integrity, no confidentiality. Examples: – Protecting public binaries on disk. – Protecting banner ads on web pages.

Dan Boneh Message integrity: MACs Def: MAC I = (S,V) defined over (K,M,T) is a pair of algs: – S(k,m) outputs t in T – V(k,m,t) outputs `yes ’ or `no ’ AliceBob kk message mtag Generate tag: tag  S(k, m) Verify tag: V(k, m, tag) = `yes ’ ?

Dan Boneh Integrity requires a secret key Attacker can easily modify message m and re-compute CRC. CRC designed to detect random, not malicious errors. AliceBob message mtag Generate tag: tag  CRC(m) Verify tag: V(m, tag) = `yes ’ ?

Dan Boneh Secure MACs Attacker’s power: chosen message attack for m 1,m 2,…,m q attacker is given t i  S(k,m i ) Attacker ’ s goal: existential forgery produce some new valid message/tag pair (m,t). (m,t)  { (m 1,t 1 ), …, (m q,t q ) } ⇒ attacker cannot produce a valid tag for a new message ⇒ given (m,t) attacker cannot even produce (m,t’) for t’ ≠ t

Dan Boneh Secure MACs For a MAC I=(S,V) and adv. A define a MAC game as: Def: I=(S,V) is a secure MAC if for all “ efficient ” A: Adv MAC [A,I] = Pr[Chal. outputs 1] is “ negligible. ” Chal.Adv. kKkK (m,t) m 1  M t 1  S(k,m 1 ) b=1 if V(k,m,t) = `yes ’ and (m,t)  { (m 1,t 1 ), …, (m q,t q ) } b=0 otherwise b m2m2, …, m q t2t2, …, t q

Template vertLeftWhite2 Let I = (S,V) be a MAC. Suppose an attacker is able to find m 0 ≠ m 1 such that S(k, m 0 ) = S(k, m 1 ) for ½ of the keys k in K Can this MAC be secure? Yes, the attacker cannot generate a valid tag for m 0 or m 1 No, this MAC can be broken using a chosen msg attack It depends on the details of the MAC

Template vertLeftWhite2 Let I = (S,V) be a MAC. Suppose S(k,m) is always 5 bits long Can this MAC be secure? Yes, the attacker cannot generate a valid tag for any message It depends on the details of the MAC No, an attacker can simply guess the tag for messages

Dan Boneh Example: protecting system files Later a virus infects system and modifies system files User reboots into clean OS and supplies his password – Then: secure MAC ⇒ all modified files will be detected Suppose at install time the system computes: F1F1 F1F1 t 1 = S(k,F 1 ) F2F2 F2F2 t 2 = S(k,F 2 ) FnFn FnFn t n = S(k,F n ) ⋯ k derived from user’s password filename

Dan Boneh End of Segment

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.