Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk."— Presentation transcript:

1 1 Message Integrity CS255 Winter ‘06

2 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk. Protecting ads. –Requires secret key k unknown to attacker. –Def: MAC I = (S,V) defined over (K,M,T) is a pair of algorithms:- S(k,m) outputs t  T, - V(k,m,t) outputs `yes’ or `no’ AliceBob k k Message mtag Generate tag: tag  S(k, m) Verify tag: V(k, m, tag) = `yes’ ?

3 3 Secure MACs Attacker’s power: chosen message attack. – for m 1,m 2,…,m q attacker is given t i  S(k,mi) Attacker’s goal: existential forgery. – produce some new valid message/tag pair (m,t). (m,t)  { (m 1,t 1 ), …, (m q,t q ) } Note:attacker cannot even produce a valid tag for a nonsensical message.

4 4 Secure MACs For a MAC I=(S,V) and adv. A we define a MAC game: Def: I=(S,V) is a secure MAC if for all “efficient” A: MAC Adv[A,I] = Pr[Chal. outputs 1] is “negligible.” Chal.Adv. kKkK (m,t) m i  M t i  S(k,m i ) b=1 when V(k,m,t) = `yes’ and (m,t)  { (m 1,t 1 ), …, (m q,t q ) } b=0 otherwise b

5 5 Any secure PRF is a secure MAC Let F be a PRF over (K,X,Y). Define a MAC I F = (S,V): –S(k,m) = F(k,m) –V(k,m,t): output `yes’ if t = F(k,m) and `no’ otherwise. Theorem: If F is a secure PRF and 1/|Y| is negligible then I F is a secure MAC. In particular, for any MAC adversary A attacking I F there exists a PRF adversary B attacking F s.t.: MAC Adv[A, I F ]  PRF Adv[B, F] + 1/|Y|  I F is secure as long as |Y| is large, say |Y| = 2 80.

6 6 Proof Sketch Intuition: –Adversary A issues chosen message queries m 1,m 2, … –Gets back F(k,m 1 ), F(k,m 2 ), … –Must guess F(k,m) for m  {m 1, m 2, … } –But F is a PRF, so prob A guesses F(k,m) is 1/|X| Truncating MACs: –Suppose MAC is a PRF outputting n-bit tags (|Y| = 2 n ). –It is OK to truncate the MAC output to w<n bits. … as long as 1/2 w is still negligible (say w  64)

7 7 Examples AES: a MAC for 16-byte messages. Main question: how to convert Small-MAC into a Big-MAC ? Two main constructions: –CBC-MAC (banking – ANSI X9.9, X9.19, FIPS 186-3) –HMAC (Internet protocols: SSL, IPsec, SSH, …) Both convert a small-PRF into a big-PRF.

8 8 Raw CBC Construction 1: (E) CBC-MAC F(k,  ) m[0]m[1]m[3]m[4]  F(k,  )  F(k 1,  ) tag Let F be PRF over (K,X,X) Define new PRF F CBC over (K 2, X L, X )

9 9 CBC-MAC: Analysis CBC-MAC Theorem: For any L>0, If F is a secure PRF over (K,X,X) then F CBC is a secure PRF over (K, X  L, X). In particular, for a q-query PRF adv. A attacking F CBC there exists a PRF adversary B s.t.: PRF Adv[A, F CBC ]  PRF Adv[B, F] + 2 q 2 L o(1) / |X| Note: CBC-MAC is secure as long as q << |X| 1/2

10 10 Why the last encryption step? Suppose we define a MAC I RAW = (S,V) where S(k,m) = RawCBC(k,m) Fact: I RAW is easily broken using a chosen msg attack. Adversary works as follows: –Pick an arbitrary one-block message m  M –Request tag for m. Get t = F(k,m) –Output t as MAC forgery for the message (m, t  m) Indeed: RawCBC ( k, (m, t  m) ) = F ( k, t  (t  m) ) = t Unimportant note: RawCBC is secure for prefix-free inputs.

11 11 CBC-MAC Padding What is length of m is not multiple of block-size? Bad idea: pad m with 0’s –Vulnerable to chosen message attack: ask for tag on m and obtain tag on m||0 ISO: pad with “1000  00”. Add new block if needed. –The “1” indicates beginning of pad. CMAC: different padding. Never adds an extra block.

12 12 Construction 2: PMAC CBC-MAC is sequential. PMAC – Parallel MAC. m[0]m[1]m[3]m[4]  F(k,  ) F(k 1,  ) tag  P(k,0)P(k,1) P(k,2) P(k,3)

13 13 PMAC: Analysis PMAC Theorem: For any L>0, If F is a secure PRF over (K,X,X) then F PMAC is a secure PRF over (K, X  L, X). In particular, for a q-query PRF adv. A attacking F PMAC there exists a PRF adversary B s.t.: PRF Adv[A, F PMAC ]  PRF Adv[B, F] + 2 q 2 L 2 / |X| Note: PMAC is secure as long as qL << |X| 1/2 Note: PMAC is incremental. Homework.

14 14 Construction 3: HMAC (Hash-MAC) Most widely used MAC on the Internet. … but, we first we discuss hash function.

15 15 Collision Resistant Hashing

16 16 Collision Resistance Let H: M  T be a hash function. A collision for H is a pair m 0, m 1  M such that: H(m 0 ) = H(m 1 ) and m 0  m 1 Def: A function H is collision resistant if for all (uniform) “efficient” algs. A: CR Adv[A,H] = Pr[ A outputs collision for H] is “negligible” Used to have lots of examples: MD5, SHA1, … Currently, only: SHA-256, SHA-512, Whirpool 44.5MB/sec, 11.4, 12.1 216MB/s 68

17 17 MACs from Collision Resistance Let I = (S,V) be a MAC for small messages over (K,M,T). Let H: M big  M Define: I big = (S big, V big ) over (K, M big, T) as: S big (k,m) = S(k,H(m)) ; V big (k,m,t) = V(k,H(m),t) Theorem: If I is a secure MAC and H is collision resistant then I big is a secure MAC. So: S(k,m) = AES(k, SHA-256(m)) is a secure MAC.

Download ppt "1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.

Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi

25th Feb 2009FSE1 1 Fast and Secure CBC-type MACs National Institute of Standards and Technology Mridul Nandi
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Goal Ensure integrity of messages, even in presence of

Goal Ensure integrity of messages, even in presence of
Information Security and Management 11

Information Security and Management 11
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Foundations of Network and Computer Security J J ohn Black Lecture #9 Sep 17 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #9 Sep 17 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Similar presentations

Ads by Google