Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 4 Message Authentication Stefan Dziembowski www.dziembowski.net MIM UW 28.10.11ver 1.1.

Published byEsmond Ball Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 4 Message Authentication Stefan Dziembowski www.dziembowski.net MIM UW 28.10.11ver 1.1."— Presentation transcript:

1 Lecture 4 Message Authentication Stefan Dziembowski www.dziembowski.net MIM UW 28.10.11ver 1.1

2 Plan 1.Introduction to message authentication codes (MACs). 2.Constructions of MACs block ciphers 3.Hash functions 1.a definition 2.constructions 3.a construction of MACs from hash functions 4.the random oracle model

3 Secure communication encryptionauthentication private key private key encryption private key authentication public keypublic key encryption signatures 1 1 3 3 2 2 4 4

4 4 Message Authentication Integrity: M interferes with the transmission (modifies the message, or inserts a new one) interferes with the transmission (modifies the message, or inserts a new one) AliceBob How can Bob be sure that M really comes from Alice?

5 5 Sometimes: more important than secrecy! AliceBank transfer 1000 $ to Eve transfer 1000 $ to Bob Of course: usually we want both secrecy and integrity.

6 6 Does encryption guarantee message integrity? Idea: 1.Alice encrypts m and sends c=Enc(k,m) to Bob. 2.Bob computes Dec(k,m), and if it “makes sense” accepts it. Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext. It does not work! Example: one-time pad. transfer 1000 $ to Bob key K ciphertext C plaintext M xor If Eve knows M and C then she can calculate K and produce a ciphertext of any other message

7 7 Message authentication AliceBob (m, t=Tag k (m)) Eve can see (m, t=Tag k (m)) She should not be able to compute a valid tag t’ on any other message m’. k k m verifies if t=Tag k (m) verifies if t=Tag k (m)

8 8 Message authentication – multiple messages AliceBob (m 1, t 1 =Tag k (m 1 )) Eve should not be able to compute a valid tag t’ on any other message m’. k k (m 2, t 2 =Tag k (m 2 )) m2m2 m1m1 (m w, t w =Tag k (m w )) mtmt...

9 9 Alice Bob (m, t=Tag k (m)) k k m є {0,1}* k is chosen randomly from some set K Vrfy k (m,t) є {yes,no} Message Authentication Codes – the idea

10 A mathematical view K – key space M – plaintext space T - set of tags K – key space M – plaintext space T - set of tags A Message Authentication Code (MAC) scheme is a pair (Tag, Vrfy), where Tag : K × M → T is an tagging algorithm, Vrfy : K × M × T → {yes, no} is a verification algorithm. A Message Authentication Code (MAC) scheme is a pair (Tag, Vrfy), where Tag : K × M → T is an tagging algorithm, Vrfy : K × M × T → {yes, no} is a verification algorithm. We will sometimes write Tag k (m) and Vrfy k (m,t) instead of Tag(k,m) and Vrfy(k,m,t). Correctness it should always holds that: Vrfy k (m,Tag k (m)) = yes. Correctness it should always holds that: Vrfy k (m,Tag k (m)) = yes.

11 Conventions If Tag is deterministic, then Vrfy just computes Tag and compares the result. In this case we do not need to define Vrfy explicitly. If Vrfy k (m,t ) = yes then we say that t is a valid tag on the message m.

12 12 Therefore we assume that 1.The adversary is allowed to chose m 1,...,m w. 2.The goal of the adversary is to produce a valid tag on some m’ such that m’ ≠ m 1,...,m w. Therefore we assume that 1.The adversary is allowed to chose m 1,...,m w. 2.The goal of the adversary is to produce a valid tag on some m’ such that m’ ≠ m 1,...,m w. How to define security? We need to specify: 1.how the messages m 1,...,m w are chosen, 2.what is the goal of the adversary. Good tradition: be as pessimistic as possible!

13 13 security parameter 1 n security parameter 1 n selects random a k Є {0,1} n oracle m1m1 m1m1 mwmw mwmw... (m 1, t=Tag k (m 1 )) (m w, t=Tag k (m w )) We say that the adversary breaks the MAC scheme at the end she outputs (m’,t’) such that Vrfy k (m’,t’) = yes and m’ ≠ m 1,...,m w adversary

14 14 The security definition We say that (Tag,Vrfy) is secure if A polynomial-time adversary A P(A breaks it) is negligible (in n)

15 15 Aren’t we too paranoid? Maybe it would be enough to require that: the adversary succeds only if he forges a message that “makes sense”. (e.g.: forging a message that consists of random noise should not count) Bad idea: hard to define, is application-dependent.

16 16 Warning: MACs do not offer protection against the “replay attacks”. AliceBob (m, t)... Since Vrfy has no state (or “memory”) there is no way to detect that (m,t) is not fresh! This problem has to be solved by the higher-level application (methods: time-stamping, sequence numbers...). This problem has to be solved by the higher-level application (methods: time-stamping, sequence numbers...).

17 Authentication and Encryption Options: Encrypt-and-authenticate: c := Enc k1 (m) and t := Tag k2 (m), send (c,t) Authenticate-then-encrypt: t := Tag k2 (m) and c := Enc k1 (m||t), send (c,t) Encrypt-then-authenticate: c := Enc k1 (m) and t := Tag k2 (c), send (c,t) wrong better the best m m t := Tag k2 (m) c := Enc k1 (m) m m t := Tag k2 (m) c := Enc k1 (m ||t) m m t := Tag k2 (c) c := Enc k1 (m)

18 18 Constructing a MAC 1.There exist MACs that are secure even if the adversary is infinitely-powerful. These constructions are not practical. 2.MACs can be constructed from the block-ciphers. We will now discuss to constructions: – simple (and not practical), – a little bit more complicated (and practical) – a CBC-MAC 1.MACs can also be constructed from the hash functions (NMAC, HMAC).

19 Plan 1.Introduction to message authentication codes (MACs). 2.Constructions of MACs from block ciphers 3.Hash functions 1.a definition 2.constructions 3.concrete functions 4.a construction of MACs from hash functions 5.the random oracle model

20 20 A simple construction from a block cipher Let F : {0,1} n × {0,1} n → {0,1} n be a block cipher. We can now define a MAC scheme that works only for messages m Є {0,1} n as follows: Tag(k,m) = F(k,m) It can be proven that it is a secure MAC. How to generalize it to longer messages? Let F : {0,1} n × {0,1} n → {0,1} n be a block cipher. We can now define a MAC scheme that works only for messages m Є {0,1} n as follows: Tag(k,m) = F(k,m) It can be proven that it is a secure MAC. How to generalize it to longer messages? FkFk FkFk k k m m F(k,m)

21 21 Idea 1 FkFk FkFk m1m1 m1m1 F(k,m 1 ) FkFk FkFk mdmd mdmd F(k,m d )... divide the message in blocks m 1,...,m d and authenticate each block separately This doesn’t work!

22 22 t = Tag k (m): m: t’ = perm(t): m’ = perm(m): perm Then t’ is a valid tag on m’. What goes wrong?

23 23 Idea 2 FkFk FkFk m1m1 m1m1 F(k,x 1 ) FkFk FkFk mdmd mdmd F(k,x d )... Add a counter to each block. This doesn’t work either! 1 1 d d x1x1 xdxd

24 24 xixi m: t = Tag k (m): m’ = a prefix of m: t’ = a prefix of t: Then t’ is a valid tag on m’. mimi mimi i i

25 25 Idea 3 FkFk FkFk m1m1 m1m1 F(k,x 1 ) FkFk FkFk mdmd mdmd F(k,x d )... Add l := |m| to each block This doesn’t work either! 1 1 d d l l l l x1x1 xdxd

26 26 What goes wrong? xixi m:m: t = Tag k (m): m’: t’ = Tag k (m’): m’’ = first half from m || second half from m’ t’’ = first half from t || second half from t’ Then t’’ is a valid tag on m’’. m1m1 m1m1 1 1 l l

27 27 Idea 4 FkFk FkFk F(k,x 1 ) FkFk FkFk m d F(k,x d )... Add a fresh random value to each block! This works! d d l l x1x1 xdxd r r m d d d l l r r

28 28 pad with zeroes if needed FkFk FkFk F(k,x 1 ) m m 1 1 l l r r FkFk FkFk F(k,x 2 ) m2m2 m2m2 2 2 r r FkFk FkFk F(k,x d ) mdmd mdmd d d r r m1m1 m1m1 m2m2 m2m2 mdmd mdmd... m1m1 m1m1 l l l l l x1x1 x2x2 xdxd |m i | = n/4 r is chosen randomly r r tag k (m) 000 n – block length

29 29 This construction can be proven secure Theorem Assuming that F : {0,1} n × {0,1} n → {0,1} n is a pseudorandom permutation the construction from the previous slide is a secure MAC. Proof idea: Suppose it is not a secure MAC. Let A be an adversary that breaks it with a non-negligible probability. We construct a distinguisher D that distinguishes F from a random permutation.

30 A new member of “Minicrypt” computationally-secure MACs exist computationally-secure MACs exist cryptographic PRGs exist cryptographic PRGs exist one-way functions exist one-way functions exist this we already knew this we have just proven this can be proven

31 31 Problem: The tag is 4 times longer than the message... Problem: The tag is 4 times longer than the message... This construction is not practical We can do much better!

32 32 CBC-MAC m m m1m1 m1m1 m2m2 m2m2 m3m3 m3m3 mdmd mdmd... pad with zeroes if needed 0000 |m| FkFk FkFk FkFk FkFk FkFk FkFk FkFk FkFk FkFk FkFk tag k (m) F : {0,1} n × {0,1} n → {0,1} n - a block cipher Other variants exist!

33 33 m1m1 m1m1 m2m2 m2m2 m3m3 m3m3 mdmd mdmd... |m| FkFk FkFk FkFk FkFk FkFk FkFk FkFk FkFk FkFk FkFk Why is this needed? Suppose we do not prepend |m|... tag k (m)

34 34 m1m1 m1m1 FkFk FkFk t 1 =tag k (m 1 ) m2m2 m2m2 FkFk FkFk t 2 =tag k (m 2 ) m1m1 m1m1 m 2 xor t 1 FkFk FkFk FkFk FkFk t’= tag k ( m’ ) m’ t’ = t 2 t1t1 t1t1 the adversary chooses: now she can compute: m2m2 m2m2

35 35 Some practictioners don’t like the CBC- MAC We don’t want to authenticate using the block ciphers! What do you want to use instead? Because: 1.they are more efficient, 2.they are not protected by the export regulations. Because: 1.they are more efficient, 2.they are not protected by the export regulations. Why? Hash functions!

36 Plan 1.Introduction to message authentication codes (MACs). 2.Constructions of MACs: 1.from pairwise independent functions 2.from block ciphers 3.Hash functions 1.a definition 2.constructions 3.concrete functions 4.a construction of MACs from hash functions 5.the random oracle model

37 37 Another idea for authenticating long messages a “hash function” h h(m) long m a block cipher F k a block cipher F k k k F k (h(m)) By the way: a similar method is used in the public-key cryptography (it is called “hash-and-sign”).

38 How to formalize it? We need to define what is a “hash function”. The basic property that we require is: “collision resistance”

39 39 Collision-resistant hash functions a hash function H : {0,1}* → {0,1} L a hash function H : {0,1}* → {0,1} L short H(m) long m Requirement: it should be hard to find a pair (m,m’) such that H(m) =H(m’) a “collision” collision-resistance

40 40 Collisions always exist domain range m m’ Since the domain is larger than the range the collisions have to exist.

41 41 “Practical definition” H is a collision-resistant hash function if it is “practically impossible to find collisions in H”. Popular hash funcitons: MD5 (now considered broken) SHA1...

42 42 How to formally define “collision resitance”? Idea Say something like: H is a collision-resistant hash function if A efficient adversary A P(A finds a collision in H) is small Problem For a fixed H there always exist a constant-time algorithm that “finds a collision in H” in constant time. It may be hard to find such an algorithm, but it always exists!

43 43 families of hash functions indexed by a key s {H s } s є keys families of hash functions indexed by a key s {H s } s є keys Solution When we prove theorems we will always consider

44 44 H H H HsHs HsHs HsHs s s formal model: informal description: “knows H” s is chosen randomly s is chosen randomly a protocol

45 45 H H H SHA1 real-life implementation (example): informal description: “knows H” “knows SHA1” H a protocol

46 46 H takes as input a key s є {0,1} n and a message x є {0,1}* and outputs a string H s (x) є {0,1} L(n) where L(n) is some fixed function. H takes as input a key s є {0,1} n and a message x є {0,1}* and outputs a string H s (x) є {0,1} L(n) where L(n) is some fixed function. Hash functions – the functional definition A hash function is a probabilistic polynomial-time algorithm H such that:

47 47 Hash functions – the security definition [1/2] 1n1n selects a random s є {0,1} n s outputs (m,m’) We say that adversary A breaks the function H if H s (m) = H s (m’).

48 48 H is a collision-resistant hash function if Hash functions – the security definition [2/2] A polynomial-time adversary A P(A breaks H) is negligible

49 49 How to formalize our idea? a “hash function” h h(m) long m a block cipher F k a block cipher F k k k F k (h(m))

50 Authentication scheme - formally A key for the MAC is a pair: (s,k) a key for the hash function H a key for the PRP F Tag((k,s),m) = F k (H s (m)) Theorem. If H and F are secure then Tag is secure. This is proven as follows. Suppose we have an adversary that breaks Tag. Then we can construct: simulates a distinguisher for F an adversary for H or

51 Do collision-resilient hash functions belong to minicrypt? [D. Simon: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? 1998]: there is no “black-box reduction”. collision-resilient hash functions exist one-way functions exist one-way functions exist ? open problem easy exercise

52 52 A common method for constructing hash functions 1.Construct a “fixed-input-length” collision-resistant hash function Call it: a collision-resistant compression function. 2.Use it to construct a hash function. h : {0,1} 2·L → {0,1} L h(m) m m L 2·L2·L

53 53 An idea m m h h h h m1m1 m1m1 h h m2m2 m2m2 mBmB mBmB IV 0000 pad with zeroes if needed... t m i є {0,1} L H(m) can be arbitrary This doesn’t work......

54 54 Why is it wrong? m m m1m1 m1m1 m2m2 m2m2 mBmB mBmB 0000 t If we set m’ = m || 0000 then H(m’) = H(m). Solution: add a block encoding “t”. m’ m’ 1 m’ 2 m’ B 0000 t m’ B+1 := t...

55 55 Merkle-Damgård transform m m h h h h h h m1m1 m1m1 h h m2m2 m2m2 mBmB mBmB m B+1 := t IV 0000... t given h : {0,1} 2L → {0,1} L we construct H : {0,1}*→ {0,1} L m i є {0,1} L H(m) doesn’t need to be know in advance (nice!)

56 56 This construction is secure We would like to prove the following: If h : {0,1} 2L → {0,1} L is a collision-resistant compression function then H : {0,1}*→ {0,1} L is a collision-resistant hash function. But wait…. It doesn’t make sense… Theorem

57 What to do? To be formal, we would need to consider families of functions h and H indexed by key s Let’s stay on the informal level and “argue” that: “if one can find a collision in H then one can find a collision in h”

58 58 A breaks H a breaks h (m,m’) a collision in H outputs a collision (x,y) in h

59 59 How to compute a collision (x,y) in h from a collision (m,m’) in H? We consider two options: 1.|m| = |m’| 2.|m| ≠ |m’|

60 60 Option 1: |m| = |m’| m m m1m1 m1m1 m2m2 m2m2 mBmB mBmB m B+1 := t 0000 t m’ m’ 1 m’ 2 m’ B m’ B+1 := t 0000 t

61 61 |m| = |m’| m m h h h h h h m1m1 m1m1 h h m2m2 m2m2 mBmB mBmB m B+1 := t z2z2 IV 0000... H(m) z1z1 z3z3 z B+1 zBzB Some notation:

62 62 |m| = |m’| m’ h h h h h h m’ 1 h h m’ 2 m’ B m’ B+1 := t z’ 2 IV 0000... H(m’) z’ 1 z’ 3 z’ B+1 z’ B For m’:

63 63 z 1 = IV m1m1 m1m1 z2z2 m2m2 m2m2 zBzB mBmB mBmB z B+1 m B+1... z’ 1 = IV m’ 1 z’ 2 m’ 2 z’ B m’ B z’ B+1 m’ B+1... equal z B+2 =H(m)z B+2 =H(m’) not equal z3z3 z3z3

64 64 z 1 = IV m1m1 m1m1 z2z2 m2m2 m2m2 zBzB mBmB mBmB z B+1 m B+1... z’ 1 = IV m’ 1 z’ 2 m’ 2 z’ B m’ B z’ B+1 m’ B+1... equal z B+2 =H(m) Let i* be the least i such that (m i,z i ) = (m’ i,z’ i ) (because m ≠ m’ such an i* > 1 always exists!) Let i* be the least i such that (m i,z i ) = (m’ i,z’ i ) (because m ≠ m’ such an i* > 1 always exists!) z B+2 =H(m’)

65 65 So, we have found a collision! z i*-1 m i*-1 z i* z’ i*-1 m’ i*-1 z’ i* not equal equal hh

66 66 Option 2: |m| ≠ |m’| z B+1 m B+1 z’ B’+1 m’ B’+1 equal H(m)H(m’)... the last block encodes the length on the message so these values cannot be equal! So, again we have found a collision!

67 67 Concrete functions MD5, SHA-1, SHA-256,....... all use (variants of) Merkle-Damgård transformation. Hash functions can also be constructed using the number theory.

68 68 MD5 (Message-Digest Algorithm 5) output length: 128 bits, designed by Rivest in 1991, in 1996, Dobbertin found collisions in the compresing function of MD5, in 2004 a group of Chinese mathematicians designed a method for finding collisions in MD5, there exist a tool that finds collisions in MD5 with a speed 1 collision / minute (on a laptop-computer) Is MD5 completely broken? The attack would be practical if the colliding documents “made sense”... In 2005 A. Lenstra, X. Wang, and B. de Weger found X.509 certificates with different public keys and the same MD5 hash. A similar attack was recently used in practice in the flame virus that attacked the Microsoft Windows Update Mechanism.

69 69 SHA-1 (Secure Hash Algorithm) output length: 160 bits, designed in 1993 by the NSA, in 2005 Xiaoyun Wang, Andrew Yao and Frances Yao presented an attack that runs in time 2 63. Still rather secure, but new hash algorithms are needed! A US National Institute of Standards and Technology is currently running a competition for a new hash algorithm (SHA-3). 5 finalists: BLAKE, Grøstl, JH, Keccak, Skein. Winner (2012): Keccak.

70 SHA-3: Keccak authors: Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche output lengths: 224, 256, 384, 512 speed: 12.5 cycles per byte on Core 2

71 Plan 1.Introduction to message authentication codes (MACs). 2.Constructions of MACs: 1.from pairwise independent functions 2.from block ciphers 3.Hash functions 1.a definition 2.constructions 3.concrete functions 4.a construction of MACs from hash functions 5.the random oracle model

72 72 What the industry says about the “hash and authenticate” method? the block cipher is still there... Why don’t we just hash a message together with a key: MAC k (m) = H(k || m) ? Why don’t we just hash a message together with a key: MAC k (m) = H(k || m) ? It’s not secure!

73 73 Suppose H was constructed using the MD- transform IV k k z2z2 z2z2 m m z2z2 z2z2 t t MAC k (m) IV k k z2z2 z2z2 m m z3z3 z3z3 t t MAC k (m||t) t + L MAC k (m) L she can see this she can fabricate this

74 74 Again, let h : {0,1} 2L → {0,1} L be a compression function. A better idea M. Bellare, R. Canetti, and H. Krawczyk (1996): NMAC (Nested MAC) HMAC (Hash based MAC) have some “provable properites” They both use the Merkle-Damgård transform.

75 75 NMAC m m hh m1m1 m1m1 h mBmB mBmB m B+1 := |m| k1k1 k1k1 0000... h k2k2 k2k2 NMAC (k1,k2) (m)

76 76 What can be proven Suppose that 1.h is collision-resistant 2.the following function is a secure MAC: Then NMAC is a secure MAC. h k2k2 k2k2 MAC k2 (m) m m

77 77 Looks better, but 1.our libraries do not permit to change the IV 2.the key is too long: (k 1,k 2 ) Looks better, but 1.our libraries do not permit to change the IV 2.the key is too long: (k 1,k 2 ) HMAC is the solution!

78 78 HMAC hh k xor ipad h m1m1 m1m1 m B+1 := |m| IV... h IV HMAC k (m) h k xor opad ipad = 0x36 repeated opad = 0x5C repeated

79 79 HMAC – the properties Looks complicated, but it is very easy to implement (given an implementation of H): HMAC k (m) = H((k xor opad) || H(k xor ipad || m)) It has some “provable properties” (slightly weaker than NMAC). Widely used in practice. We like it!

80 Plan 1.Introduction to message authentication codes (MACs). 2.Constructions of MACs: 1.from pairwise independent functions 2.from block ciphers 3.Hash functions 1.a definition 2.constructions 3.concrete functions 4.a construction of MACs from hash functions 5.the random oracle model

81 Other uses of “hash functions” Hash functions are used by practicioners to convert “non-uniform randomness” into a uniform one. shorter “uniformly random” H(m) user generated randomness X (key strokes, mouse movements, etc.) a hash function H : {0,1}* → {0,1} L a hash function H : {0,1}* → {0,1} L Example:

82 Example: password-based encryption c = E(H(π),m) AliceBob H – hash function (E,D) – encryption scheme shared password π message m m = D(H(π),c) Informally: The only thing that Eve can do is to examine all possible passwords. Warning: there exist much better solutions for this problem

83 Random oracle model [Bellare, Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, 1993] Idea: model the hash function as a random oracle. H : {0,1}* → {0,1} L a completely random function xH(x)

84 Remember the pseudorandom functions? A random function F: {0,1} m → {0,1} m A random function F: {0,1} m → {0,1} m x x F(x) x’ F(x’) x’’ F(x’’) Crucial difference: Also the adversary can query the oracle

85 85 H formal model: informal description: “knows H” a protocol H : {0,1}* → {0,1} L Every call to H is replaced with a query to the oracle. also the adversary is allowed to query the oracle.

86 How would we use it in the proof? shorter “uniformly random” H(X) user generated randomness X a hash function H : {0,1}* → {0,1} L a hash function H : {0,1}* → {0,1} L As long as the adversary never queried the oracle on X the value H(X) “looks completely random to him”.

87 Criticism of the Random Oracle Model There exists a signature scheme that is secure in ROM but is not secure if the random oracle is replaced with any real hash function. This example is very artificial. No “realistic” example of this type is know. There exists a signature scheme that is secure in ROM but is not secure if the random oracle is replaced with any real hash function. This example is very artificial. No “realistic” example of this type is know. [Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998]

88 Terminology Model without the random oracles: “plain model” “cryptographic model” Model without the random oracles: “plain model” “cryptographic model” Random Oracle Model is also called: the “Random Oracle Heuristic”. Random Oracle Model is also called: the “Random Oracle Heuristic”. Common view: a ROM proof is better than nothing.

89 Plan 1.Introduction to message authentication codes (MACs). 2.Constructions of MACs: 1.from pairwise independent functions 2.from block ciphers 3.Hash functions 1.a definition 2.constructions 3.a construction of MACs from hash functions 4.the random oracle model

90 Secure communication encryptionauthentication private key private key encryption private key authentication public keypublic key encryption signatures 1 1 3 3 2 2 4 4

91 Outlook one time pad, quantum cryptography,... one time pad, quantum cryptography,... based on 2 simultanious assumptions: 1.some problems are computationally difficult 2.our understanding of what “computational difficulty” means is correct. based on 2 simultanious assumptions: 1.some problems are computationally difficult 2.our understanding of what “computational difficulty” means is correct. cryptography “information-theoretic”, “unconditional” “information-theoretic”, “unconditional” “computational”

92 Symmetric cryptography symmetric cryptography encryptionauthentication

93 The basic information-theoretic tool xor (one-time pad)

94 Basic tools from the computational cryptography one-way functions pseudorandom generators pseudorandom functions/permutations hash functions

95 A method for proving security: reductions one-way functions computationally-secure encryption computationally-secure authentication pseudorandom generators pseudorandom functions/permutations hash functions P ≠ NP in general the picture is much more complicated! minicrypt

96 © 2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Download ppt "Lecture 4 Message Authentication Stefan Dziembowski www.dziembowski.net MIM UW 28.10.11ver 1.1."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Lecture 10 Signature Schemes Stefan Dziembowski www.dziembowski.net MIM UW 7.12.12ver 1.0.

Lecture 10 Signature Schemes Stefan Dziembowski MIM UW ver 1.0.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Lecture 3 Message Authentication and Hash Functions Stefan Dziembowski University of Rome La Sapienza BiSS 2009 Bertinoro International Spring School 2-6.

Lecture 3 Message Authentication and Hash Functions Stefan Dziembowski University of Rome La Sapienza BiSS 2009 Bertinoro International Spring School 2-6.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Message Authentication,

Message Authentication,
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Similar presentations

Ads by Google