Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 5.1: Message Authentication Codes, and Key Distribution

Published byMercy Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 5.1: Message Authentication Codes, and Key Distribution"— Presentation transcript:

1 Lecture 5.1: Message Authentication Codes, and Key Distribution
4/26/2017 Lecture 5.1: Message Authentication Codes, and Key Distribution CS 436/636/736 Spring 2013 Nitesh Saxena

2 Course Administration
4/26/2017 Course Administration HW1 graded and distributed Any questions regarding the grades, please contact the TA If you haven’t picked up your graded submissions, please do so HW2 due Monday, 11am – March 04 Questions? 4/26/2017 Lecture 5.1: MACs and Key Distribution

3 Outline of Today’s lecture
4/26/2017 Outline of Today’s lecture Message Authentication Codes Based on block cipher designs Based on hash functions Key Distribution Introduction Protocol for private key distribution 4/26/2017 Lecture 5.1: MACs and Key Distribution

4 Message Authentication Codes
4/26/2017 Message Authentication Codes Provide integrity as well as authentication Send (m, MAC); MAC is created on m using the key shared between two parties Has to be deterministic to enable verification Unlike encryption schemes We want MAC to be as small and as secure as possible Can not provide non-repudiation Why not? 4/26/2017 Lecture 5.1: MACs and Key Distribution

5 Lecture 5.1: MACs and Key Distribution
4/26/2017 MAC – Functions KeyGen – outputs a key MAC – creates a checksum on m using key K Verify – validates whether the checksum on m is computed correctly Just create MAC and compare 4/26/2017 Lecture 5.1: MACs and Key Distribution

6 Security Notion for MAC
4/26/2017 Security Notion for MAC Very similar to the security notion for a digital signature scheme Existential forgery under (adaptively) chosen message attack 4/26/2017 Lecture 5.1: MACs and Key Distribution

7 Can encryption be used as a MAC?
4/26/2017 Can encryption be used as a MAC? No, not in general Intuitively because encryption achieves properties different from MAC See a counter-example: One-time pad as a MAC – bad idea! However, you can use 3-DES or AES as a building block for MAC 4/26/2017 Lecture 5.1: MACs and Key Distribution

8 MAC Based on Block Cipher in the CBC mode – CBC-MAC
4/26/2017 MAC Based on Block Cipher in the CBC mode – CBC-MAC 4/26/2017 Lecture 5.1: MACs and Key Distribution

9 Lecture 5.1: MACs and Key Distribution
4/26/2017 CBC-MAC Note that this is deterministic IV = [0] Unlike CBC encryption Only the last block of the output is used as a MAC This is secure under CMA attack For pre-decided fixed-length messages Intuitively because of the presence of an avalanche effect 4/26/2017 Lecture 5.1: MACs and Key Distribution

10 HMAC: MAC using Hash Functions
4/26/2017 HMAC: MAC using Hash Functions Developed as part of IPSEC - RFC Also used in SSL etc. Key based hash but almost as fast as non-key based hash functions. Avoids export restrictions unlike DES based MAC. Provable security Can be used with different hash functions like SHA-1,MD5, etc. 4/26/2017 Lecture 5.1: MACs and Key Distribution

11 Lecture 5.1: MACs and Key Distribution
4/26/2017 HMAC Block size b bits. K+ - K padded with bits on the left to make b bits. ipad – (ox36) repeated b/8 times. opad – (0x5c) repeated b/8 times. Essentially HHMACK = H[(K+ xor opad) || H[(K+ xor ipad) || M]] 4/26/2017 Lecture 5.1: MACs and Key Distribution

12 Lecture 5.1: MACs and Key Distribution
4/26/2017 Security of HMAC Security related to the collision resistance of the underlying hash function 4/26/2017 Lecture 5.1: MACs and Key Distribution

13 HMAC – An Efficient Implementation
4/26/2017 4/26/2017 Lecture 5.1: MACs and Key Distribution

14 Lecture 5.1: MACs and Key Distribution
4/26/2017 Key Distribution Cryptographic primitives seen so far assume In private key setting: Alice and Bob share a secret key which is unknown to Oscar. In public key setting: Alice has a “trusted” (or authenticated) copy of Bob’s public key. But how does this happen in the first place? Alice and Bob meet and exchange key(s) Not always practical or possible. We need key distribution, first and foremost! Idea: make use of a trusted third party (TTP) 4/26/2017 Lecture 5.1: MACs and Key Distribution

15 “Private Key” Distribution: An Attempt
4/26/2017 “Private Key” Distribution: An Attempt Protocol assumes that Alice and Bob share a session key KA and KB with a Key Distribution Center (KDC). Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. Trent generates random session key K and sends E KA(K) to Alice and E KB(K) to Bob. Alice and Bob decrypt with KA and KB respectively to get K. This is a key distribution protocol. Susceptible to replay attack!

16 Session Key Exchange with KDC – Needham-Schroeder Protocol
4/26/2017 Session Key Exchange with KDC – Needham-Schroeder Protocol A -> KDC IDA || IDB || N1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E KA( K || IDB || N1 || E KB(K || IDA)) Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an envelope to Bob containing the same key) A -> B E KB(K || IDA) (I would like to talk using key in envelope sent by KDC) B -> A E K(N2) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> B E K(f(N2)) (Sure I can!) Dennig-Sacco (replay) attack on the protocol NS protocol only provides one way authentication (A  B). You can provide mutual authentication (see next lecture slides for correction) Talk about Dennig-Sacco Attack on NS: Since the ticket does not contain any timestamp; Eve can replay it in next session. If the key for first session is somehow leaked to Eve  the next session will be compromised too. 4/26/2017 Lecture 5.1: MACs and Key Distribution

17 Lecture 5.1: MACs and Key Distribution
4/26/2017 Session Key Exchange with KDC – Needham-Schroeder Protocol (corrected version with mutual authentication) A -> KDC: IDA || IDB || N1 (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A: E KA( K || IDB || N1 || E KB(TS1, K || IDA)) Encrypted(Here is a key, for you to talk to Bob as per your request N1 and also an envelope to Bob containing the same key) A -> B: E K(TS2), E KB(TS1, K || IDA) (I would like to talk using key in envelope sent by KDC; here is an authenticator) B -> A: E K(TS2+1) (OK Alice, here is a proof that I am really Bob) 4/26/2017 Lecture 5.1: MACs and Key Distribution

18 Lecture 5.1: MACs and Key Distribution
4/26/2017 Some questions Can a KDC learn communication between Alice and Bob, to whom it issued keys? Can OTP make for a good MAC? Can H(K||m) make for a good MAC? Does HMAC provide non-repudiation? 4/26/2017 Lecture 5.1: MACs and Key Distribution

19 Lecture 5.1: MACs and Key Distribution
4/26/2017 Further Reading Stallings Chapter 12 (MAC) and 15 (Key Dist.) HAC Chapter 9 (MAC) and 12 (Key Dist) 4/26/2017 Lecture 5.1: MACs and Key Distribution

Download ppt "Lecture 5.1: Message Authentication Codes, and Key Distribution"

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Lecture 4: Cryptography III; Email Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.

Lecture 4: Cryptography III; Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.
Lecture 4: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures.

Lecture 4: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Similar presentations

Ads by Google