# Chapter 7. Message Authentication. 7.1 The setting

Save this PDF as:

Size: px
Start display at page:

## Transcription

11 Bellare and Rogaway 11 Then Adv uf-cma MAC (A 1) = 1. Furthermore A 1 makes no signing oracle queries, uses t = O(n) time, and its verification query has length 2n-bits, so it is very practical. There are many other attacks. For example we note that T = F K (M 1 ) F K (M 2 ) is not only the tag of M 1 M 2 but also the tag of M 2 M 1. So it is possible, given the tag of a message, to forge the tag of a new message formed by permuting the blocks of the old message. We leave it to the reader to specify the corresponding adversary and compute its advantage. Let us now try to strengthen the scheme to avoid these attacks. Instead of applying F K to a data block, we will first prefix the data block with its index. To do this, first pick some parameter ι with 1 ι n 1. We will write each block s index as an ι-bit string. The MAC-generation algorithm is the following: algorithm MAC2 K (M) η n ι if ( M mod η 0 or M = 0 or M /η 2 ι ) then return Break M into η-bit blocks M = M 1...M m for i 1 to m do Y i F K ([i] ι M i ) T Y 1 Y m return Tag As the code indicates, we divide M into blocks, but the size of each block is smaller than in our previous scheme: it is now only η = n ι bits. Then we prefix the i-th message block with the value i itself, the block index, written in binary as a string of length exactly m bits. It is to this padded block that we apply F K before taking the xor. Note that encoding of the block index i as an iota-bit string is only possible if i < 2 ι. This means that we cannot authenticate a message M having more 2 ι blocks. This explains the conditions under which the MAC returns. However this is a feasible restriction in practice, since a reasonable value of ι, like ι = 32, is large enough that very long messages will be in the message space. Anyway, the question we are really concerned with is the security. Has this improved from scheme MAC1? Begin by noticing that the attacks we found on MAC1 no longer work. For example if X is an η-bit string and we let M = X X then its tag is not likely to be 0 n. Similarly, the second attack discussed above, namely that based on permuting of message blocks, also has low chance of success against the new scheme. Why? In the new scheme, if M 1,M 2 are strings of length η, then MAC2 K (M 1 M 2 ) = F K ([1] ι M 1 ) F K ([2] ι M 2 ) MAC2 K (M 2 M 1 ) = F K ([1] m M 2 ) F K ([2] ι M 1 ). These are unlikely to be equal. As an exercise, a reader might upper bound the probability that these values are equal in terms of the value of the advantage of F at appropriate parameter values. All the same, MAC2 is still insecure. The attack however require a more non-trivial usage of the chosen-message attacking ability. The adversary will query the tagging oracle at several related points and combine the responses into the tag of a new message. We call it A 2 algorithm A MAC K( ),VF K ( ) 2 Let A 1,B 1 be distinct, η-bit strings Let A 2,B 2 be distinct η-bit strings T 1 MAC K (A 1 A 2 ) ; T 2 MAC K (A 1 B 2 ) ; T 3 MAC K (B 1 A 2 )

12 12 MESSAGE AUTHENTICATION T T 1 T 2 T 3 d VF K (B 1 B 2,T) We claim that Adv uf-cma MAC2 (A 2) = 1. Why? This requires two things. First that VF K (B 1 B 2,T) = 1, and second that B 1 B 2 was never a query to MAC K ( ) in the above code. The latter is true because we insisted above that a 1 b 1 and a 2 b 2, which together mean that B 1 B 2 {A 1 A 2,A 1 B 2,B 1 A 2 }. So now let us check the first claim. We use the definition of the tagging algorithm to see that T 1 = F K ([1] ι A 1 ) F K ([2] ι A 2 ) T 2 = F K ([1] ι A 1 ) F K ([2] ι B 2 ) T 3 = F K ([1] ι B 1 ) F K ([2] ι A 2 ). Now look how A 2 defined T and do the computation; due to cancellations we get T = T 1 T 2 T 3 = F K ([1] ι B 1 ) F K ([2] ι B 2 ). This is indeed the correct tag of B 1 B 2, meaning the value T that VF K (B 1 B 2,T) would compute, so the latter algorithm returns 1, as claimed. In summary we have shown that this scheme is insecure. It turns out that a slight modification of the above, based on use of a counter or random number chosen by the MAC algorithm, actually yields a secure scheme. For the moment however we want to stress a feature of the above attacks. Namely that these attacks did not cryptanalyze the PRF F. The attacks did not care anything about the structure of F; whether it was DES, AES, or anything else. They found weaknesses in the message authentication schemes themselves. In particular, the attacks work just as well when F K is a random function, or a perfect cipher. This illustrates again the point we have been making, about the distinction between a tool (here the PRF) and its usage. We need to make better usage of the tool, and in fact to tie the security of the scheme to that of the underlying tool in such a way that attacks like those illustrated here are provably impossible under the assumption that the tool is secure. 7.6 The PRF-as-a-MAC paradigm Pseudorandom functions make good MACs, and constructing a MAC in this way is an excellent approach. Here we show why PRFs are good MACs, and determine the concrete security of the underlying reduction. The following shows that the reduction is almost tight security hardly degrades at all. Let F: K D {0,1} τ be a family of functions. We associate to F a message authentication code MAC: K D {0,1} τ via algorithm MAC K (M) if (M D) then return T F K (M) return T Note that when we think of a PRF as a MAC it is important that the domain of the PRF be whatever one wants as the domain of the MAC. So such a PRF probably won t be realized as a blockcipher. It may have to be realized by a PRF that allows for inputs of many different lengths,

14 14 MESSAGE AUTHENTICATION M 1 M 2 M 3 M X 1 X 2 X 3 X 4 E K E K E K E K C 1 C 2 C 3 C 4 T Figure 7.5: The CBC MAC, here illustrated with a message M of four blocks, M = M 1 M 2 M 3 M The CBC MAC A very popular class of MACs is obtained via cipher-block chaining of a given blockcipher. The method is as follows: Scheme CBC MAC] Let E: K {0,1} n {0,1} n be a blockcipher. The CBC MAC over blockcipher E has key space K and is given by the following algorithm: algorithm MAC K (M) if M ({0,1} n ) + then return Break M into n-bit blocks M 1 M m C 0 0 n for i = 1 to m do C i E K (C i 1 M i ) return C m See Fig. 7.5 for an illustration with m = 4. As we will see below, the CBC MAC is secure only if you restrict attention to strings of some one particular length: the domain is restricted to {0,1} mn for some constant m. If we apply the CBC MAC across messages of varying lengths, it will be easy to distinguish this object from a random function. Theorem [1] Fix n 1, m 1, and q 2. Let A be an adversary that asks at most q queries, each of mn bits. Then that Adv prf CBC[Func(mn,n)] (A) m2 q 2 2 n. Proof: Let A be an adversary that asks exactly q queries and assume without loss of generality that it never repeats a query. Refer to games C0 C9 in Fig Let us begin by explaining the notation used there. Each query M s in the games is required to be a string of blocks, and we silently parse M s to M s = M s 1 Ms 2 Ms m where each M i is a block. Recall that M s 1 i = Ms 1 Ms i. The function π: {0,1} n {0,1} n is initially undefined at each point. The set Domain(π) grows as we define points π(x), while Range(π), initially {0,1} n, correspondingly shrinks. The table Y stores blocks and is indexed by strings of blocks P having at most m blocks. A random block will come to occupy selected entries Y [X] except for Y [ε], which is initialized to the constant block 0 n and

17 Bellare and Rogaway 17 P s = M r 1 i in which case we are looking at Pr[Ms P s n+1 = Mr P s n+1 ]. But this is 0 because Ps = M r 1 i means that the longest prefix that M s shares with M r is P s and so M s P s n+1 Mr P s n+1. Line 905. What is Y [M s 1 j ] Ms j+1 = Y [Mr 1 i ] Mr i+1. It is 2 n unless i = j and M s 1 j = Mr 1 i. In that case P s n j and P r n i, contradicting our choice of allowed values for i and j at line 902. Line 906. We must bound Pr[Y [P r ] M r P r n+1 = Y [Ms 1 j ] Ms j+1 ]. As before, this is 2 n unless P r = M s 1 j but we can not have that Pr = M s 1 j because j Ps n + 1. There are at most 0.5m 2 q 2 tuples (r,i,s,j) considered at line 902 and we now know that for each of them bad gets set with probability at most 2 n. So Pr[Game C9 sets bad] 0.5m 2 q 2 /2 n. Combining with the loss from the C0 C2 transition we have that Pr[Game C0 setsbad] m 2 q 2 /2 n, completing the proof. 7.8 The universal-hashing approach We have shown that one paradigm for making a good MAC is to make something stronger: a good PRF. Unfortunately, out-of-the-box PRFs usually operate on strings of some fixed length, like 128 bits. That s almost certainly not the domain that we want for our MAC s message space. In this section we describe a simple paradigm for extending the domain of a PRF by using a universal hash-function family. Several MACs can be seen as instances of this approach. Definition Let H: K M {0,1} n and let δ be a real number. We say that H is δ-au (read this as δ almost-universal) if for all distinct M,M M, Pr[K \$ K : H K (M) = H K (M )] δ. Definition Let H: K M {0,1} n and F: K {0,1} n {0,1} τ be function families. Then F H is the function family F H: (K K ) M {0,1} τ defined by F H (K,K )(M) = F K (H K (M)). Theorem Let H: K M {0,1} n be a δ-au function family and let F = Func(n,τ) be the family of all functions from n bits to τ bits. Let A be an adversary that asks at most q queries. Then Adv prf F H (A) ( q 2) δ 2. To be continued. Give a CW mod-p arithmetic MAC. Then describe EMAC and CMAC, and HMAC, probably in different sections. 7.9 Problems Problem 1 Consider the following variant of the CBC MAC, intended to allow one to MAC messages of arbitrary length. The construction uses a blockcipher E : {0,1} k {0,1} n {0,1} n, which you should assume to be secure. The domain for the MAC is ({0,1} n ) +. To MAC M under key K compute CBC K (M M ), where M is the length of M, written in n bits. Of course K has k bits. Show that this MAC is completely insecure: break it with a constant number of queries. Problem 2 Consider the following variant of the CBC MAC, intended to allow one to MAC messages of arbitrary length. The construction uses a blockcipher E : {0,1} k {0,1} n {0,1} n, which you should assume to be secure. The domain for the MAC is ({0,1} n ) +. To MAC M under key (K,K ) compute CBC K (M) K. Of course K has k bits and K has n bits. Show that this MAC is completely insecure: break it with a constant number of queries.

18 18 MESSAGE AUTHENTICATION Problem 3 Let SE = (K, E, D) be a symmetric encryption scheme and let MA = (K,MAC,VF) be a message authentication code. Alice (A) and Bob (B) share a secret key K = (K1,K2) where K1 K and K2 K. Alice wants to send messages to Bob in a private and authenticated way. Consider her sending each of the following as a means to this end. For each, say whether it is a secure way or not, and briefly justify your answer. (In the cases where the method is good, you don t have to give a proof, just the intuition.) (a) M,MAC K2 (E K1 (M)) (b) E K1 (M,MAC K2 (M)) (c) MAC K2 (E K1 (M)) (d) E K1 (M),MAC K2 (M) (e) E K1 (M), E K1 (MAC K2 (M)) (f) C,MAC K2 (C) where C = E K1 (M) (g) E K1 (M,A) where A encodes the identity of Alice; B decrypts the received ciphertext C and checks that the second half of the plaintext is A. In analyzing these schemes, you should assume that the primitives have the properties guaranteed by their definitions, but no more; for an option to be good it must work for any choice of a secure encryption scheme and a secure message authentication scheme. Now, out of all the ways you deemed secure, suppose you had to choose one to implement for a network security application. Taking performance issues into account, do all the schemes look pretty much the same, or is there one you would prefer? Problem 4 Refer to problem 4.3. Given a blockcipher E: K {0,1} n {0,1} n construct a cipher E : K {0,1} 2n {0,1} 2n. Formalize and prove a theorem that shows that E is a secure PRP if E is. Problem 5 Let H: {0,1} k D {0,1} L be a hash function, and let Π = (K,MAC,VF) be the message authentication code defined as follows. The key-generation algorithm K takes no inputs and returns a random k-bit key K, and the tagging and verifying algorithms are: algorithm MAC K (M) Tag H(K,M) return Tag algorithm VF K (M,Tag ) Tag H(K,M) if Tag = Tag then return 1 else return 0 Show that Adv cr2-hk H (t,q,µ) (q 1) Adv uf-cma Π (t,q 1,µ,q 1,µ) for any t,q,µ with q 2, where t is t + O(log(q)). (This says that if Π is a secure message authentication code then H was a CR2-HK secure hash function.)

19 Bibliography [1] M. Bellare, J. Kilian and P. Rogaway. The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences, Vol. 61, No. 3, Dec 2000, pp [2] M. Bellare, R. Canetti and H. Krawczyk. Keying hash functions for message authentication. Advances in Cryptology CRYPTO 96, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, [3] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway. UMAC: Fast and secure message authentication. Advances in Cryptology CRYPTO 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, [4] J. Black and P. Rogaway. CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions. Advances in Cryptology CRYPTO 00, Lecture Notes in Computer Science Vol. 1880, M. Bellare ed., Springer-Verlag, 2000.

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

### 1 Pseudorandom Permutations

Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### Client Server Registration Protocol

Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart OV-Chipkaart Security Issues Tutorial for Non-Expert Readers The current debate concerning the OV-Chipkaart security was

### Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### Ciphertext verification security of symmetric encryption schemes

www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is

### ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters

### Authentication requirement Authentication function MAC Hash function Security of

UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

### Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer

### Stream Ciphers. Example of Stream Decryption. Example of Stream Encryption. Real Cipher Streams. Terminology. Introduction to Modern Cryptography

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### OPENID AUTHENTICATION SECURITY

OPENID AUTHENTICATION SECURITY Erik Lagercrantz and Patrik Sternudd Uppsala, May 17 2009 1 ABSTRACT This documents gives an introduction to OpenID, which is a system for centralised online authentication.

### Chapter 3. Network Domain Security

Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

### COM S 687 Introduction to Cryptography October 19, 2006

COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob \$100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob \$100 scan

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### CS 161 Computer Security

Song Spring 2015 CS 161 Computer Security Discussion 11 April 7 & April 8, 2015 Question 1 RSA (10 min) (a) Describe how to find a pair of public key and private key for RSA encryption system. Find two

Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### 159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Network Security 1 Professor Richard Harris School of Engineering and Advanced Technology Presentation Outline Overview of Identification and Authentication The importance of identification and Authentication

### SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 02 Overview on Modern Cryptography

### Network security and all ilabs

Network security and all ilabs Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität

### Data Encryption A B C D E F G H I J K L M N O P Q R S T U V W X Y Z. we would encrypt the string IDESOFMARCH as follows:

Data Encryption Encryption refers to the coding of information in order to keep it secret. Encryption is accomplished by transforming the string of characters comprising the information to produce a new

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

### Network Security Technology Network Management

COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Introduction to Cryptography

Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007 Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has

### Chapter 10. Network Security

Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

### Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

### Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

### 2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

### Message Authentication Codes. Lecture Outline

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

### Shift Cipher. Ahmet Burak Can Hacettepe University. Substitution Cipher. Enigma Machine. How perfect secrecy can be satisfied?

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Basic Ciphers Shift Cipher Brute-force attack can easily break Substitution Cipher Frequency analysis

### ORDERS OF ELEMENTS IN A GROUP

ORDERS OF ELEMENTS IN A GROUP KEITH CONRAD 1. Introduction Let G be a group and g G. We say g has finite order if g n = e for some positive integer n. For example, 1 and i have finite order in C, since

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

### Cryptography and Network Security

Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 9: Authentication protocols, digital signatures Ion Petre Department of IT, Åbo Akademi University 1 Overview of

### Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Stronger Security Bounds for OMAC, TMAC and XCBC

Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata,

### Modes of Operation of Block Ciphers

Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

### Reconsidering Generic Composition

Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the

### A Secure RFID Ticket System For Public Transport

A Secure RFID Ticket System For Public Transport Kun Peng and Feng Bao Institute for Infocomm Research, Singapore Abstract. A secure RFID ticket system for public transport is proposed in this paper. It

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database