Message authentication

Size: px

Start display at page:

Download "Message authentication"

Caren Williamson
10 years ago
Views:

1 Message authentication -- Hash based MAC unctions -- MAC unctions based on bloc ciphers -- Authenticated encryption (c) Levente Buttyán Secret preix method MAC (x) = H( x) insecure! assume an attacer nows the MAC on x: M = H( x) he can produce the MAC on x y as M = (M,y), where x is x with padding and is the compression unction o H x 2 x L padding y padding CV 0 M M = MAC (x y) Message authentication 2

assume an attacer nows the MAC on x: M = H( x) he can produce the MAC on x y as M = (M,y), where x is x

2 A similar mistae MAC (x) = H (x) where H (.) is H(.) with CV 0 = x 2 x L padding y padding K M M = MAC (x y) Message authentication 3 Secret suix method MAC (x) = H(x ) insecure i H is not collision resistant using a birthday attac, the attacer inds two inputs x and x such that H(x) = H(x ) (can be done o-line without the nowledge o ) then obtaining the MAC M on one o the inputs, say x, allows the attacer to orge a text-mac pair (x, M) weanesses MAC depends only on the last chaining variable ey is involved only in the last step x 1 x 2 x 2 x L x L padding CV 0 H(x) = H(x ) M Message authentication 4

resistant using a birthday attac, the attacer inds two inputs x and x such that H(x) = H(x ) (can be done o-line without the nowledge o ) then

3 nvelop method MAC K (x) = H( x ) a ey recovery attac has been discovered on this scheme (requiring 2 64 text-mac pairs or MD5 with 128-bit ey) although, not really practical, the attac still represents an architectural law Message authentication 5 HMAC HMAC (x) = H( ( opad) H( ( ipad) x ) ) where h is a hash unction with input bloc size b and output size n is padded with 0s to obtain a length o b bits ipad is repeated b/8 times opad is repeated b/8 times ipad x L padding 1 H CV 0 CV 1 inner opad M padding 2 H CV 0 CV 1 outer HMAC (x) Message authentication 6

) ) where h is a hash unction with input bloc size b and output size n is padded with 0s to obtain a length o b bits ipad is 00110110 repeated

4 ncrypted hash MAC K (x) = K (H(x)) o-line search or messages with colliding MAC values is possible here without the nowledge o H must be collision resistant! collision resistant hash unctions usually have larger output size than the bloc size o the bloc cipher which mode to use to encrypt the hash? two messages having the same hash value will have the same MAC value under all eys Message authentication 7 CBC-MAC x 2 x 3 x N c N-1 c 1 c 2 c 3-1 CBC MAC is secure or messages o a ixed number o blocs orgery is possible i variable length messages are allowed CBC MAC optional c N Message authentication 8

two messages having the same hash value will have the same MAC value under all eys Message authentication 7 CBC-MAC x 2 x 3 x N 100 0 c N-1 c 1 c 2 c

5 A nown-text orgery given two text-mac pairs (x, M) and (x, M ), a third valid text-mac pair can be computed as ollows: (x 100 x 1 M x 2 x L, M ) x N 100 x 1 M x L c N-1 c L-1 c 1 c N = M c 2 c L = M Message authentication 9 A chosen-text orgery given a nown text-mac pair (, M 1 ) request MAC or M 1, receive M 2 = (M 1 0) = (M 1 ) M 2 is the MAC o the message ( 0) M 1 last bloc o 0 0 (M 1 ) M 1 (M 1 ) Message authentication 10

authentication 9 A chosen-text orgery given a nown text-mac pair (, M 1 ) request MAC or M 1, receive M 2 =

6 Another chosen-text orgery given two nown text-mac pairs: (, M 1 ), (x 2, M 2 ) request MAC or message M 1 M 2 z, where z is an arbitrary bloc receive M 3 = (M 1 M 2 z M 1 ) = (M 2 z) M 3 is also the MAC or message x 2 z last bloc o M 1 M 2 z last bloc o x 2 z M 1 M 3 = (M 2 z) M 2 (z M 2 ) = M 3 Message authentication 11 How to use CBC-MAC in practice? use the optional inal encryption reduces the threat o exhaustive ey search (ey is (, ) ey length is doubled) prevents the previously presented existential orgeries has marginal overhead (only last bloc is encrypted multiple times) prepend the message with a bloc containing the length o the message beore the MAC computation use to encrypt the length and obtain = (length), and use as the MAC ey (i.e., use message dependent MAC eys) Message authentication 12

use the optional inal encryption reduces the threat o exhaustive ey search (ey is (, ) ey length is doubled) prevents the previously presented existential orgeries has marginal overhead (only last

7 CMAC proposed to ix problems with CBC-MAC x 2 x N c N-1 computed rom (0) c 1 c 2 CMAC (x) Message authentication 13 Authenticated encryption schemes simultaneously protect the conidentiality and the integrity o a message motivations: to prevent chosen-ciphertext attacs (such as the Vaudenay attac) the decryption oracle immediately recognizes improperly constructed ciphertexts and reuses to decrypt them attacer can construct a correct ciphertext only i he already nows the plaintext decryption oracle becomes useless eiciency (in some cases) needs ewer operations i the message is encrypted and the authentication tag is computed in a single pass approaches: specialized schemes (e.g., XCBC, OCB, CCM) combine regular encryption and MAC unctions (but be careul!) 1 (x, MAC 2 (x)) (chec or padding oracle attac!) 1 (x), MAC 2 (x) (chec or padding oracle attac!) 1 (x), MAC 2 ( 1 (x)) (considered to be the most secure approach) Message authentication 14

to decrypt them attacer can construct a correct ciphertext only i he already nows the plaintext decryption oracle becomes useless eiciency (in some cases) needs ewer operations i the message is

8 CCM mode CCM means CTR mode and CBC-MAC (two pass) authenticated encryption mode integrity protection is based on CBC-MAC encryption is based on CTR mode the same bloc cipher and ey is used or both operations inputs: K ey N nonce (should not repeat or a given ey K) m message to be protected a additional data to be authenticated only (e.g., message header) outputs: encrypted message encrypted authentication tag (MAC value) Message authentication 15 CCM computing the authentication tag irst bloc B 0 : message length next blocs containing a: MAC length: 2*M2 B 1 B 2 B x encoding(length(a)) a next blocs containing m: B x1 B x2 B n m Message authentication 16

(e.g., message header) outputs: encrypted message encrypted authentication tag (MAC value) Message authentication 15 CCM computing the authentication tag irst bloc B 0

9 CCM computing the authentication tag given B 0, B 1,, B n : X 1 K (B 0 ) X i1 K (X i B i ) or i = 1, 2,, n T irst-m-bytes(x n1 ) output T as the MAC value Message authentication 17 CCM encryption the ey stream blocs are computed as S i K (C i ) or i = 0, 1, 2, where C i is ormatted as: the irst length(m) octets o S 1, S 2, are XORed to m to produce the ciphertext S 0 is used to encrypt the authentication tag: U T irst-m-bytes(s 0 ) Message authentication 18

computed as S i K (C i ) or i = 0, 1, 2, where C i is ormatted as: the irst length(m) octets o S 1, S 2, are XORed

10 CCM notes security level o conidentiality and authenticity is in-line with other proposed authenticated encryption modes, e.g., OCB encryption o the authentication tag T or avoiding MAC collision attacs (attacer gets no inormation about the CBC-MAC results) same ey or MAC and encryption? No problem essentially never gets the same input (C i s are very liely dierent rom B i s) an intermediate value in the CBC-MAC computation may collide with a C i, but those values cannot be observed, and they aect only T which is encrypted eiciency two pass processing, but blocs used by the authentication unction match up the blocs used by the encryption unction nonce selection nonce values should be unique within the scope o a ey nonce can be a sequence number otherwise a pre-computation attac would be possible assume that the ey is 128 bits long choose a particular nonce N 0 choose 2 64 ey, and or each K store (K, S 1 ) when a genuine message with N 0 is sent, guess the irst 16 octets o the plaintext (usually higher layer header ields) and compute S 1 loo-up S 1 in the table (you will ind it with large probability due to the birthday paradox), the corresponding K value is the ey Message authentication 19 Summary naïve hash based MAC constructions are usually not secure better to use standard, well-studied constructions, e.g., HMAC CBC-MAC is interesting, because it does not need a hash unction, but it can use the same bloc cipher that is used or encryption, anyway existential orgeries against CBC-MAC exist, but there are countermeasures e.g., prepending additional context data such as message length to the message, multiple encryption o the last bloc, etc. authenticated encryption modes have some advantages eiciency: the two goals may be achieved in a single pass security: no inormation is leaed through a padding oracle Message authentication 20

No problem essentially never gets the same input (C i s are very liely dierent rom B i s) an intermediate value in the CBC-MAC computation may collide with a C i, but those values cannot be observed,

Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption