Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.

Published byGertrude Lee Modified over 9 years ago

Similar presentations

Presentation on theme: "CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code."— Presentation transcript:

1 CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code

2 Announcements Homework 1 handled out on Sept 1, due on Sept 10 Will have first quiz on Sept 8 CS426Fall 2010/Lecture 62

3 CS426Fall 2010/Lecture 63 Limitation of Using Hash Functions for Authentication Require an authentic channel to transmit the hash of a message –anyone can compute the hash value of a message, as the hash function is public –not always possible How to address this? –use more than one hash functions –use a key to select which one to use

4 CS426Fall 2010/Lecture 64 Hash Family A hash family is a four-tuple (X,Y,K,H ), where –X is a set of possible messages –Y is a finite set of possible message digests –K is the keyspace –For each K  K, there is a hash function h K  H. Each h K : X  Y Alternatively, one can think of H as a function K  X  Y

5 CS426Fall 2010/Lecture 65 Message Authentication Code A MAC scheme is a hash family, used for message authentication MAC = C K (M) The sender and the receiver share K The sender sends (M, C k (M)) The receiver receives (X,Y) and verifies that C K (X)=Y, if so, then accepts the message as from the sender To be secure, an adversary shouldn’t be able to come up with (X’,Y) such that C K (X)=Y.

6 Example of Insecure Hash Families Let h be a one-way hash function H(K,M) = h(K || M), where || denote concatenation –Insecure as MAC –Given M and a=h(K || M), can compute M’=M||… and a’, such that h(K||M’) = a’ H(K,M) = h(M || M), –Also insecure as MAC CS426Fall 2010/Lecture 66

7 CS426Fall 2010/Lecture 67 HMAC: Constructing MAC from Cryptographic Hash Functions K + is the key padded (with 0) to B bytes, the input block size of the hash function ipad = the byte 0x36 repeated B times opad = the byte 0x5C repeated B times. HMAC K [M] = Hash[(K +  opad) || Hash[(K +  ipad)||M)]]

8 CS426Fall 2010/Lecture 68 HMAC Overview

9 CS426Fall 2010/Lecture 69 HMAC Security If used with a secure hash functions (e.g., SHA-256) and according to the specification (key size, and use correct output), no known practical attacks against HMAC

10 CS426Fall 2010/Lecture 610 Encryption and Authentication Three ways for encryption and authentication –Authenticate-then-encrypt (AtE), used in SSL a = MAC(x), C=E(x,a), transmit C –Encrypt-then-authenticate (EtA), used in IPSec C=E(x), a=MAC(C), transmit (C,a) –Encrypt-and-authenticate (E&A), used in SSH C=E(x), a=MAC(x), transmit (C,a) Which way provides secure communications when embedded in a protocol that runs in a real adversarial network setting?

11 Encryption Alone May Be Insufficient for Privacy If an adversary can manipulate a ciphertext such that the observable behavior (such as success or failure of decryption) differs depending on the content of plaintext, then information about plaintext can be leaked To defend against these, should authenticate ciphertext, and only decrypt after making sure ciphertext has not changed Encrypt-then-authenticate (EtA) is secure –C=E(x), a=MAC(C), transmit (C,a) CS426Fall 2010/Lecture 611

12 CS426Fall 2010/Lecture 612 Encryption Alone May Be Insufficient for Privacy: An Artificial Example Given a secure stream cipher (or even one-time pad) E, Consider encryption E* –E*[x] = E[encode[x]] encode[x] replaces 0 with 00, and 1 with either 01 or 10. –How to decrypt? –E*[x] is secure Using E* may not provide confidentiality in some usage –Consider the case an adversary flips the first two bits of E*[x] –When the bits are 01 or 10, flipping results in no change after decrypt –When the bits are 00, flipping result in decryption failure –Learning whether decryption succeeds reveal first bit

13 CS426Fall 2010/Lecture 613 AtE and E&A are insecure Authenticate-then-encrypt (AtE) is not always secure –a = MAC(x), C=E(x,a), transmit C –As first step is decryption, its success or failure may leak information. –AtE, however, can be secure for some encryption schemes, such as CBC or OTP (or stream ciphers) Encrypt-and-authenticate (E&A) is not secure –C=E(x), a=MAC(x), transmit (C,a) –MAC has no guarantee for confidentiality

14 CS426Fall 2010/Lecture 614 Readings for This Lecture Wikipedia Message Authentication Code Optional reading Hugo Krawzyck.: The Order of Encryption and Authentication for Protecting Communications”

15 CS426Fall 2010/Lecture 615 Coming Attractions … Operating System Security Basics

Download ppt "CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Symmetric Message Authentication Codes Prof. Ravi Sandhu.

Symmetric Message Authentication Codes Prof. Ravi Sandhu.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.

Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 13 Message Signing

Lecture 13 Message Signing
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
CS426Fall 2010/Lecture 21 Computer Security CS 426 Lecture 2 Cryptography: Terminology & Classic Ciphers.

CS426Fall 2010/Lecture 21 Computer Security CS 426 Lecture 2 Cryptography: Terminology & Classic Ciphers.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Network Security Sorina Persa Group 3250 Group 3250.

Network Security Sorina Persa Group 3250 Group 3250.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Similar presentations

Ads by Google