Presentation is loading. Please wait.

Presentation is loading. Please wait.

Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.

Published byLawrence Robertson Modified over 9 years ago

Similar presentations

Presentation on theme: "Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012."— Presentation transcript:

1 Message Authentication Codes (MACs) and Hashes David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class, which is awesome!

2 Recap so far Information theoretically secure encryption: ciphertext reveals nothing about the plaintext Secure PRNG: Given first k output bits, adversary should do not better than guessing bit k+1 – Principle: next bit is secure, not just “random looking” output Secure PRF: Adversary can’t tell the difference between real random function and PRF – Principle: computationally indistinguishable functions Semantic security (computationally secure encryption): Adversary picks m 0,m 1, receives encryption of one of them, can’t do better than guessing on which messages was encrypted. – Principle: ciphertext reveals no information about plaintext – Security is not just about keeping key private 2

3 Message Integrity Goal: integrity (not secrecy) Examples: – Protecting binaries on disk. – Protecting banner ads on web pages Security Principles: – Integrity means no one can forge a signature 3

4 CRC Is this Secure? No! Attacker can easily modify message m and re-compute CRC. CRC designed to detect random errors, not malicious attacks. Generate tag: tag  CRC(m) Verify tag: CRC(m, tag) ?= ‘yes’ 4 Alice Bob S V messagetag

5 Message Authentication Codes (MAC) Defn: A Message Authentication Code (MAC) MAC = (S,V) defined over (K,M,T) is a pair of algorithms: – S(k,m) outputs t in T – V(k,m,t) outputs `yes’ or `no’ – V(k, m, S(k,m)) = ‘yes’ (consistency req.) 5 Alice Bob S V messagetag kk secret key required

6 Example 6 Authorized Stock Ticker Publisher 1. k = KeyGen(l) 2. For each price update: t = S(stock||price,k) Publish Adversary t = A(stock||price up) e.g., to cause a buying frenzy A secure MAC should prevent this ConsumeV

7 Example: Tripwire At install time, generate a MAC on all files: F1F1 t 1 = S(k,F 1 ) F2F2 t 2 = S(k,F 2 ) FnFn t n = S(k,F n ) ⋯ filename Later a virus infects system and modifies system files User reboots into clean OS and supplies password – Then: secure MAC ⇒ all modified files will be detected

8 Secure MAC Game Security goal: A cannot produce a valid tag on a message – Even if the message is gibberish 8 Challenger 1. k = KeyGen(l) 3. Compute i in 1...q: t i = S(m i, k) 5. b = V(m,t,k) Adversary A 2. Picks m 1,..., m q 4. picks m not in m 1,...,m q Generates t m 1,...,m q t 1,...,t q m,t b = {yes,no} existential forgery if b=“yes”

9 Secure MAC Game Def: I=(S,V) is a secure MAC if for all “ efficient ” A: Adv MAC [A,I] = Pr[Chal. Outputs “yes”] < ε 9 Challenger 1. k = KeyGen(l) 3. Compute i in 1...q: t i = S(m i, k) 5. b = V(m,t,k) Adversary A 2. Picks m 1,..., m q 4. picks m not in m 1,...,m q Generates t m 1,...,m q t 1,...,t q m,t b = {yes,no}

10 Let I = (S,V) be a MAC. Suppose an attacker is able to find m 0 ≠ m 1 such that S(k, m 0 ) = S(k, m 1 ) for ½ of the keys k in K Can this MAC be secure? 1.Yes, the attacker cannot generate a valid tag for m 0 or m 1 2.No, this MAC can be broken using a chosen msg attack 3.It depends on the details of the MAC 1.A sends m 0, receives (m 0, t 0 ) 2.A wins with (m 1, t 0 ) 3.Adv[A,I] = ½ since prob. of key is ½.

11 MACs from PRFs 11

12 Secure PRF implies secure MAC For a PRF F: K × X ⟶ Y, define a MAC I F = (S,V) as: – S(k,m) = F(k,m) – V(k,m,t): if t = F(k,m), output ‘yes’ else ‘no’ tag  F(k,m) accept msg if tag = F(k,m) Attacker who knows F(k,m 1 ), F(k,m 2 ),..., F(k, m q ) has no better than 1/|Y| chance of finding valid tag for new m 12 Alice Bob S V m, tag

13 Security Thm: If F: K×X⟶Y is a secure PRF and 1/|Y| is negligible (i.e., |Y| is large), then I F is a secure MAC. In particular, for every eff. MAC adversary A attacking I F, there exists an eff. PRF adversary B attacking F s.t.: Adv MAC [A, I F ] = Adv PRF [B, F] + 1/|Y| 13 A can’t do better than brute forcing

14 Proof Sketch A wins iff t=f(k,m) and m not in m 1,...,m q PR[A wins] = Pr[A guesses value of rand. function on new pt] = 1/|Y| 14 b Let f be a truly random function m 1,...,m q Adversary A 1. Picks m 1,..., m q 4. picks m not in m 1,...,m q. Generates t t 1,...,t x m,t Challenger 2. f from FUNS[X,Y] 3. Calculates t i = f(k, m i )

15 Question Suppose F: K × X ⟶ Y is a secure PRF with Y = {0,1} 10 Is the derived MAC I F a practically secure MAC system? 1. Yes, the MAC is secure because the PRF is secure 2. No tags are too short: guessing tags isn’t hard 3. It depends on the function F Adv[A,F] = 1/1024 (we need |Y| to be large) 15

16 Secure PRF implies secure MAC S(k,m) = F(k,m) 16 Assuming output domain Y is large So AES is already a secure MAC....... but AES is only defined on 16-byte messages

17 Given: a PRF for shorter messages (e.g., 16 bytes) Goal: build a MAC for longer messages (e.g., gigabytes) Construction examples: – CBC-MAC: Turn small PRF into big PRF – HMAC: Build from collision resistance – (Others not covered: NMAC/PMAC) 17 Building Secure MACs

18 raw CBC Construction 1: Encrypted CBC-MAC (ECBC-MAC) F(k,  ) m[0]m[1]m[3]m[4]  F(k,  )  F(k 1,  ) tag Let F: K × X ⟶ X be a PRP Define new PRF F ECBC : K 2 × X ≤L ⟶ X Why? <= L means any length  IV assume 0 18

19 Attack Suppose we define a MAC I RAW = (S,V) where S(k,m) = rawCBC(k,m) Then I RAW is easily broken using a 1-chosen msg attack. Adversary works as follows: 1.Choose an arbitrary one-block message m  X 2.Request tag for m. Get t = F(k,m) 3.Output t as MAC forgery for the 2-block message m|| t  m 19

20 Attack t F(k,  ) m Break in 1-chosen message attack Problem: rawCBC(k, m|| t  m ) = F(k, F(k,m)  (t  m) ) = F(k, t  (t  m) ) = F(k,m) = t  IV F(k,  ) m tmtm  m t  IV 20

21 ECBC-MAC analysis Recall: We built ECBC-MAC from a PRP (e.g., block cipher) F: K x X -> X Theorem: For any L>0, For every eff. q-query PRF adv. A attacking F ECBC there exists an eff. adversary B s.t.: Adv PRF [A, F ECBC ]  Adv PRP [B, F] + 2 q 2 / |X| CBC-MAC is secure as long as q << |X| 1/2 21 After signing |X| 1/2 messages, rekey

22 Implications Adv PRF [A, F ECBC ]  Adv PRP [B, F] + 2 q 2 / |X| # msgs MAC’ed with key Suppose we want AdvPRF[A, F ECBC ] ≤ 1/2 32 – then (2q 2 /|X|) < 1/2 32 – AES: |X| = 2 128 ⇒ q < 2 48 – 3DES: |X| = 2 64 ⇒ q < 2 16 Must change key after 2 48, 2 16 msgs 22 128-32 = 96 q 2 = 2 48*2 = 2 96.

23 Extension Attack Suppose the underlying PRF F is a PRP (e.g., AES). Let F BIG be ECBC. Then F BIG has the following extension property: ∀x,y,w: F BIG (k, x) = F BIG (k, y) ⇒ F BIG (k, x||w ) = F BIG (k, y||w ) 23 FFF m[0]...w k0k0 F(k,x) = F(k,y) here F(k,x||w) = F(k,y||w) here Attacker just needs to find such an x and y

24 Collisions and the Birthday Paradox 24

25 Birthday Paradox Put n people in a room. What is the probability that 2 of them have the same birthday? 25 P1P1 P2P2 P3P3 P4P4 PnPn PR[P i = P j ] >.5 with 23 people. (Think: n 2 different pairs) Rule of Thumb: N possibilities, and j random samples Pr[collision]≈ 50% when j = sqrt(N)

26 Generic attack on hash functions Let H: M  {0,1} n be a hash function ( |M| >> 2 n ) Generic alg. to find a collision in time O(2 n/2 ) hashes Algorithm: 1.Choose 2 n/2 random messages in M: m 1, …, m 2 n/2 (distinct w.h.p ) 2.For i = 1, …, 2 n/2 compute t i = H(m i ) ∈{0,1} n 3.Look for a collision (t i = t j ). If not found, got back to step 1. How well will this work? 26

27 The birthday paradox Let r 1, …, r i ∈ {1,…,n} be indep. identically distributed integers. Thm: when i = 1.2 × n 1/2 then Pr[ ∃i≠j: r i = r j ] ≥ ½ 27 If H: M-> {0,1} n, then Pr[collision] ~ ½ with n 1/2 hashes

28 B=10 6 # samples n 50% prob of collision with ~1200 hashes 28

29 Recall Adv PRF [A, F ECBC ]  Adv PRP [B, F] + 2 q 2 / |X| # msgs MAC’ed with key Suppose we want AdvPRF[A, F ECBC ] ≤ 1/2 32 – then (2q 2 /|X|) < 1/2 32 – AES: |X| = 2 128 ⇒ q < 2 47 – 3DES: |X| = 2 64 ⇒ q < 2 15 Must change key after 2 47, 2 15 msgs Reason: the Birthday Paradox. 29

30 Generic attack Let F BIG : K x M  Y be a MAC with the extension property (e.g., CBC-MAC): F BIG (k, x) = F BIG (k, y) ⇒ F BIG (k, x||w) = F BIG (k, y||w) 1.For i = 1, …, 2 n/2 get t i = F(k, m i, ) 2.Look for a collision (t i = t j ). (birthday paradox) If not found, got back to step 1. 3.Choose some w and for query t = F BIG (m i || w) 4.Output forgery (m j ||w, t) 30

31 Implications Adv PRF [A, F ECBC ]  Adv PRP [B, F] + 2 q 2 / |X| Suppose we want AdvPRF[A, F ECBC ] ≤ 1/2 32 – then (2q 2 /|X|) < 1/2 32 – AES: |X| = 2 128 ⇒ q < 2 47 – 3DES: |X| = 2 64 ⇒ q < 2 15 Need PRF that can quickly change keys. 31

32 Padding 32

33 F(k,  ) m[0]m[1]m[3]m[4]  F(k,  )  F(k 1,  ) tag What if msg not a multiple of block size? Recall CBC-MAC ??? 33

34 CBC MAC padding Yes, the MAC is secure No It depends on the underlying MAC m[0] m[1] m[0] 0000 m[1] Idea: pad m with 0 ’ s Is the resulting MAC secure? Problem: given tag on msg m attacker obtains tag on m||0 because pad(m) = pad(m||0) Same Tag $10000 $10000 34

35 CBC MAC padding For security, padding must be one-to-one (i.e., invertible)! m 0 ≠ m 1 ⇒ pad(m 0 ) ≠ pad(m 1 ) ISO: pad with “ 1000  00 ”. Add new dummy block if needed. – The “ 1 ” indicates beginning of pad. m[0]m[1]m[0]m[1]1000 m[0]m[1]m[0]m[1]1000000000 If m is same as block size, add 1 block pad for security two distinct messages map to two distinct paddings 35

36 CMAC (NIST standard) Variant of CBC-MAC where key = (k, k 1, k 2 ) No final encryption step (extension attack thwarted by last keyed xor) No dummy block (ambiguity resolved by use of k 1 or k 2 ) F(k,  ) m[0]  m[1]m[w] F(k,  )  ⋯ tag 100 k1k1 F(k,  ) m[0]  m[1]m[w] F(k,  )  ⋯ tag k2k2 k1 != multiple B.S, k2 = multiple BA. k1 != multiple B.S, k2 = multiple B.S. 36

37 HMAC (Hash-MAC) Most widely used MAC on the Internet. … but, we first we need to discuss hash function. 37

38 Hash Functions 38

39 Collision Resistance Let H: X  Y be a hash function ( |X| >> |Y| ) A collision for H is a pair m 0, m 1  M such that: H(m 0 ) = H(m 1 ) and m 0  m 1 A function H is collision resistant if for all (explicit) “ eff ” algs. A: Adv CR [A,H] = Pr[ A outputs collision for H] is “ negligible ”. Example: SHA-256 (outputs 256 bits) 39

40 General Idea 40 m h k1k1 PRF k2k2 tag Hash then PRF construction

41 MACs from Collision Resistance Let I = (S,V) be a MAC for short messages over (K,M,T) (e.g. AES) Let H: X  Y and S: K x Y  T (|X| >> |Y|) Def: I big = (S big, V big ) over (K, X big, Y) as: S big (k,m) = S(k,H(m)) ; V big (k,m,t) = V(k,H(m),t) Thm: If I is a secure MAC and H is collision resistant, then I big is a secure MAC. Example: S(k,m) = AES 2-block-cbc (k, SHA-256(m)) is secure. 41

42 MACs from Collision Resistance Collision resistance is necessary for security: Suppose: adversary can find m 0  m 1 s.t. H(m 0 ) = H(m 1 ). Then: S big is insecure under a 1-chosen msg attack step 1: adversary asks for t ⟵S(k, m 0 ) step 2: output (m 1, t) as forgery S big (k, m) = S(k, H(m)) ; V big (k, m, t) = V(k, H(m), t) 42

43 AMD Opteron, 2.2 GHz ( Linux) digest generic functionsize (bits)Speed (MB/sec) attack time SHA-11601532 80 SHA-2562561112 128 SHA-512512992 256 Whirlpool512572 256 Sample Speeds Crypto++ 5.6.0 [ Wei Dai ] NIST standards * best known collision finder for SHA-1 requires 2 51 hash evaluations 43

44 Collision Resistance and Passwords 44

45 Passwords How do we save passwords on a system? – Idea 1: Store in cleartext – Idea 2: Hash Enrollment: store h(password), where h is collision resistant Verification: Check h(input) = stored passwd 45 Is this enough to be secure

46 Brute Force Online Brute Force Attack: input: hp = hash(password) to crack for each i in dictionary file if(h(i) == hp) output success; Time Space Tradeoff Attack: precompute: h(i) for each i in dict file in hash tbl input: hp = hash(password) check if hp is in hash tbl 46 “rainbow tables”

47 Salts Enrollment: 1.compute hp=h(password + salt) 2.store salt || hp Verification: 1.Look up salt in password file 2.Check h(input||salt) == hp What is this good for security, given that the salt is public? 47 Salt doesn’t increase security against online attack, but does make tables much bigger.

48 Merkle-Damgard How to construct collision resistant hash functions http://www.merkle.com/ 48

49 Compression Function A compression function mixes two fixed length inputs and produces a single fixed length output of the same size as one of the inputs 49 h K M M

50 The Merkle-Damgard iterated construction Given h: T × X  T (compression function) we obtain H: X ≤L  T. H i - chaining variables PB: padding block m[0]m[1]m[2]m[3] ll PB IV (fixed) H(m) H0H0 H1H1 H2H2 H3H3 H4H4 1000…0 ll msg len 64 bits If no space for PB add another block h h h h 50

51 Security of Merkle-Damgard 51 Thm: if h is collision resistant then so is H. Proof Idea: via contrapositive. Collisions on H ⇒ collision on h Suppose H(M) = H(M’). We build collision for h.

52 Compression from a block cipher E: K× {0,1} n  {0,1} n a block cipher. The Davies-Meyer compression function h(H, m) = E(m, H) H Thm: Suppose E is an ideal cipher (collection of |K| random perms.). Finding a collision h(H,m)=h(H’,m’) takes O(2 n/2 ) evaluations of (E,D). E mimi HiHi ⨁ Best possible !! 52 ⨁

53 Hash MAC (HMAC) Most widely used approach on the internet, e.g., SSL, SSH, TLS, etc. 53

54 Recall Merkel-Damgard Thm: h collision resistant implies H collision resistant m[0]m[1]m[2] m[3] || pad IV (fixed) H(m) H0H0 H1H1 H2H2 H3H3 H4H4 h h h h Can we build a MAC out of H? 54

55 Attempt 1: Create MAC from Merkle-Damgard 55 Let H: X ≤L ⟶ T be a Merkle-Damgard hash, and: S(k,m) = H(k||m) is this secure? no! why? m[0]m[1]m[2]m[3] || pad IV (fixed) H(m) H0H0 H1H1 H2H2 H3H3 H4H4 h h h h Existential forgery: H(k||m[0..3]) = H(H(k||m[0...3])||w) (just one more h)

56 Build MAC out of a hash Example: H = SHA-256 HMAC: S( k, m ) = H( k  opad, H( k  ipad || m ) ) Hash Mac (HMAC) 56

57 HMAC PB: Padding Block m[0]m[1]m[2] || PB h0h0 h1h1 h2h2 h3h3 h4h4 h h h h IV k ⨁ ipad IV (fixed) h h k⨁opad tag 57

58 Authenticated Encryption and Cryptographic Protocols

59 Encrypted with CBC and random IV encrypted packets with key k Destination Machine Webserver (port = 80) dest=80msg a Bob (port = 25) msg b k k IV 1, dest=25msg b IV 2, Example Tampering Attack 59 Source

60 Example Tampering Attack Encrypted with CBC and random IV encrypted packets with key k Destination Machine Webserver (port = 80) dest=80msg a k IV 1, dest=25msg a IV 2, Eve can change destination (easy with CBC and rand IV) 60 k Source Bob (port = 25)

61 Example Tampering Attack Encrypted with CBC and random IV encrypted packets with key k Destination Machine Webserver (port = 80) dest=80msg a k IV 1, dest=25msg a IV 2, Eve can change destination (easy with CBC and rand IV) 61 k Source Bob (port = 25) Active Attacker

62 How? 62 dest=80msg a IV 1, dest=1026msg a IV 2, CBC encryption: D(k, c[0]) ⨁ IV 1 = “dest=80” Attack: IV 2 = IV 1 ⨁ 000...80 ⨁ 000...1026 xor out “80” and xor in “1026” Eve

63 The Story So Far Confidentiality: semantic security against a CPA attack – Examples: Using CBC with a PRP, AES Integrity: security against existential forgery – Examples: CBC-MAC, NMAC, PMAC, HMAC Now: security against tampering – Integrity + Confidentiality! 63 But you need to be careful in how you compose primitives

64 Motivating Question: Which is Best? E(k E, m||tag) S(k I, m) m Encryption Key = k E ; MAC key = k I Option 1: SSL (MAC-then-encrypt) mtagm S(k I, c)E(k E, m) m Option 2: IPsec (Encrypt-then-MAC) mmtag S(k I, m)E(k E, m) m Option 3: SSH (Encrypt-and-MAC) mmtag 64

65 An authenticated encryption system (E,D) is a cipher where As usual: E: K × M × N ⟶ C but D: K × C × N ⟶ M ∪{ ⊥ } Security: the system must provide – Semantic security under CPA attack, and – ciphertext integrity. The attacker cannot create a new ciphertext that decrypts properly. reject ciphertext as invalid 65

66 Chal.Adv A. kKkK c m 1  M c 1  E(k,m 1 ) b=1 if D(k,c) ≠ ⊥ and c  { c 1, …, c q } b=0 otherwise b m2m2, …, m q c2c2, …, c q 66 Ciphertext Integrity Game For b ={0,1}, define EXP(0) and EXP(1) as:

67 Authenticated Encryption Def: cipher (E,D) provides authenticated encryption (AE) if it is (1) semantically secure under CPA, and (2) has ciphertext integrity Counter-example: CBC with rand. IV does not provide AE – D(k, ⋅ ) never outputs ⊥, hence adv. always wins ciphertext integrity game 67

68 Implication 1: Authenticity Attacker cannot fool Bob with a novel message purporting to be from Alice AliceBob k k m 1, …, m q c i = E(k, m i ) c Cannot create valid c ∉ { c 1, …, c q } ⇒ if D(k,c) ≠ ⊥ Bob guaranteed message is from someone who knows k (but could be a replay) Eve 68

69 Implication 2 Authenticated encryption ⇒ Security against chosen ciphertext attack 69

70 Chosen Ciphertext Attacks Def: A CCA adversary has the capability to get ciphertexts of their choosing decrypted. 70 AliceBob k Eve k VPN c = E(k,m) m Eve sees c and m c’ m’

71 CCA Game Definition 71 b Chal. k  K Adv. b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) for i=1,…,q: (1) CPA query: c j  C : c j ∉ {c 1, …, c q } m j  D(k, c j ) for j=1,…,r: (2) CCA query: Ex: could query a changed c i

72 CCA Game Definition 72 b Chal. k  K Adv. b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) for i=1,…,q: (1) CPA query: c i  C : c i ∉ {c 1, …, c i-1 } m i  D(k, c i ) (2) CCA query: ENC = (E,D) is CCA secure iff the Adversary does not do statistically better than guessing.

73 Example: CBC is not CCA Secure 73 Chal. k  K b Adv. m 0, m 1 : |m 0 | = |m 1 |=1 c  E(k, m b ) = (IV, c[0]) c’ = (IV⨁1, c[0]) D(k, c’) = m b ⨁1 b learns b

74 Thm: Let (E,D) be a cipher that provides AE. Then (E,D) is CCA secure. 74 AE implies CCA security!

75 So What? Authenticated encryption assures security against: – A passive adversary (CPA security) – An active adversary that can even decrypt some ciphertexts (CCA security) Limitations: – Does not protect against replay – Assumes no other information other than message/ciphertext pairs can be learned. Timing attacks out of scope Power attacks out of scope... 75

76 AE Constructions Cipher + MAC = security 76

77 History Pre 2000: Crypto API’s provide separate MAC and encrypt primitives – Example: Microsoft Cryptographic Application Programming Interface (MS-CAPI) provided HMAC and CBC + IV – Every project had to combine primitives in their own way 2000: Authenticated Encryption – Bellare and Namprempre in Crypto, 2000 – Katz and Yung in FSE, 2000 77

78 Theorems Let (E,D) by a CPA secure cipher and (S,V) a MAC secure against existential forgery. Then: 1.Encrypt-then-MAC always provides authenticated encryption 2.MAC-then-encrypt may be insecure against CCA attacks – however, when (E,D) is rand-CTR mode or rand- CBC, MAC-then-encrypt provides authenticated encryption 78

79 Motivating Question: Which is Best? Encryption Key = k E ; MAC key = k I E(k E, m||tag) S(k I, m) m Option 1: SSL (MAC-then-encrypt) mtagm S(k I, c)E(k E, m) m Option 2: IPsec (Encrypt-then-MAC) mmtag S(k I, m)E(k E, m) m Option 3: SSH (Encrypt-and-MAC) mmtag ✓ Always Correct 79

80 Standards GCM:CTR mode encryption then CW-MAC CCM:CBC-MAC then CTR mode (802.11i) EAX:CTR mode encryption then CMAC All are nonce-based. All support Authenticated Encryption with Associated Data (AEAD). 80 Associated Data Encrypted Data Authenticated

81 MAC Security -- an explanation Recall: MAC security required an attacker given (m, t) couldn’t find a different t’ such that (m,t’) is a valid MAC Why? Suppose not: (m, t) ⟶ (m, t’) Then Encrypt-then-MAC would not have Ciphertext Integrity !! Chal. k  K b Adv. m 0, m 1 c  E(k, m b ) = (c 0, t) c’ = (c 0, t’ ) ≠ c D(k, c’ ) = m b b (c 0, t) (c 0, t’) 81

82 Summary Encrypt-then-MAC Provides integrity of CT Plaintext integrity If cipher is malleable, we detect invalid CT MAC provides no information about PT since it’s over the encryption MAC-then-Encrypt No integrity of CT Plaintext integrity If cipher is malleable, can change message w/o detection MAC provides no information on PT since encrypted 82 Encrypt-and-MAC No integrity on CT Integrity of PT can be verified If cipher is malleable, contents of CT can be altered; should detect at PT level May reveal info about PT in the MAC (e.g., MAC of same messages are the same)

83 Recap 1 MACs from PRF – CBC-MAC – Others: N(ested)MAC, P(arallel)MAC MACs from collision resistant hash functions – Make CRF with merkle-damgard from PRF Attackers goal: existential forgery 83

84 Recap 2 Authenticated Encryption – Chosen Ciphertext Attack (CCA) and CCA-secure ciphers – AE game = CCA + CPA secure Encrypt-then-MAC always right – Don’t roll your own 84

85 Further reading J. Black, P. Rogaway: CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions. J. Cryptology 18(2): 111-131 (2005) K. Pietrzak: A Tight Bound for EMAC. ICALP (2) 2006: 168-179 J. Black, P. Rogaway: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. EUROCRYPT 2002: 384-397 M. Bellare: New Proofs for NMAC and HMAC: Security Without Collision-Resistance. CRYPTO 2006: 602-619 Y. Dodis, K. Pietrzak, P. Puniya: A New Mode of Operation for Block Ciphers and Length-Preserving MACs. EUROCRYPT 2008: 198-219 85

86 86 Questions?

Download ppt "Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.

Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Similar presentations

Ads by Google