Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Published byStephanie Troup Modified over 10 years ago

Similar presentations

Presentation on theme: "Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh

2 Dan Boneh Message Integrity Goal: integrity, no confidentiality. Examples: – Protecting public binaries on disk. – Protecting banner ads on web pages.

3 Dan Boneh Message integrity: MACs Def: MAC I = (S,V) defined over (K,M,T) is a pair of algs: – S(k,m) outputs t in T – V(k,m,t) outputs `yes ’ or `no ’ AliceBob kk message mtag Generate tag: tag  S(k, m) Verify tag: V(k, m, tag) = `yes ’ ?

4 Dan Boneh Integrity requires a secret key Attacker can easily modify message m and re-compute CRC. CRC designed to detect random, not malicious errors. AliceBob message mtag Generate tag: tag  CRC(m) Verify tag: V(m, tag) = `yes ’ ?

5 Dan Boneh Secure MACs Attacker’s power: chosen message attack for m 1,m 2,…,m q attacker is given t i  S(k,m i ) Attacker ’ s goal: existential forgery produce some new valid message/tag pair (m,t). (m,t)  { (m 1,t 1 ), …, (m q,t q ) } ⇒ attacker cannot produce a valid tag for a new message ⇒ given (m,t) attacker cannot even produce (m,t’) for t’ ≠ t

6 Dan Boneh Secure MACs For a MAC I=(S,V) and adv. A define a MAC game as: Def: I=(S,V) is a secure MAC if for all “ efficient ” A: Adv MAC [A,I] = Pr[Chal. outputs 1] is “ negligible. ” Chal.Adv. kKkK (m,t) m 1  M t 1  S(k,m 1 ) b=1 if V(k,m,t) = `yes ’ and (m,t)  { (m 1,t 1 ), …, (m q,t q ) } b=0 otherwise b m2m2, …, m q t2t2, …, t q

7 Template vertLeftWhite2 Let I = (S,V) be a MAC. Suppose an attacker is able to find m 0 ≠ m 1 such that S(k, m 0 ) = S(k, m 1 ) for ½ of the keys k in K Can this MAC be secure? Yes, the attacker cannot generate a valid tag for m 0 or m 1 No, this MAC can be broken using a chosen msg attack It depends on the details of the MAC

8 Template vertLeftWhite2 Let I = (S,V) be a MAC. Suppose S(k,m) is always 5 bits long Can this MAC be secure? Yes, the attacker cannot generate a valid tag for any message It depends on the details of the MAC No, an attacker can simply guess the tag for messages

9 Dan Boneh Example: protecting system files Later a virus infects system and modifies system files User reboots into clean OS and supplies his password – Then: secure MAC ⇒ all modified files will be detected Suppose at install time the system computes: F1F1 F1F1 t 1 = S(k,F 1 ) F2F2 F2F2 t 2 = S(k,F 2 ) FnFn FnFn t n = S(k,F n ) ⋯ k derived from user’s password filename

10 Dan Boneh End of Segment

Download ppt "Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh."

Similar presentations

ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.

Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
Cryptography for Backup Navigation

Cryptography for Backup Navigation
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Dan Boneh Basic key exchange The Diffie-Hellman protocol Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange The Diffie-Hellman protocol Online Cryptography Course Dan Boneh.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.

Similar presentations

Ads by Google