MACs Message authentication and integrity. Table of contents

Size: px

Start display at page:

Download "MACs Message authentication and integrity. Table of contents"

Jeffery Black
8 years ago
Views:

1 MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs

2 Secure communication and message integrity Image a supermarket chain sends an request to purchase 10,000 creates of coke.the supplier has to consider: 1. Is the order authentic, i.e., did the chain really issue an order, or was it spoofed. 2. Even if it assuredly came from the chain, the supplier must still ask whether the details are exactly as intended. *The order itself is not secret and therefore the question of privacy does not arise. Encryption vs. Message Authentication Why not use encryption to insure message integrity? After all if the adversary cannot figure out what you are saying, what harm can she do? Consider randomized counter mode which we proved has indistinguishable encryption under a chosen-plaintext attack. If the message structure is known (or can be guessed), then the attacker can manipulate ciphertext to cause predictable changes in the plaintext. *How?

3 The problem in a nutshell Data authenticity or integrity Sender S wants to send a message M to receiver R in such a way that R will be sure it came from S But, adversary A controls the communications channel. Authentication 15-3 The solution: Message Authentication Codes (MACs) Message authentication code One solution is to attach a fixed-length tag to the original message. The tag, or MAC, serves to validate the authenticity of the message. *Confidentiality isn t always needed. In fact, sometimes confidentially only gets in the way. We don t encrypt our check when we sign them. Authentication 15-4

4 Message Authentication Codes Definition 4.1. A message authentication code (MAC) is a tuple of probabilistic polynomial-time algorithms (Gen, Mac, Vrfy) such that: 1. The key-generation algorithm Gen takes as input the security parameter 1 n and outputs a key k with k n. 2. The tag-generation algorithm MAC takes as input a key k and a message m {0, 1}, and output a tag t. Sincethis algorithm may be randomized, we write t Mac k (m). 3. The verification algorithm Vrfy takes as input a key k, a message m, andatagt. It outputs a bit b with b =1 meaning valid and b =0meaninginvalid. WeassumeWLOG that Vrfy is deterministic and so write this as b := Vrfy k (m.t). It is required that for every n, k, m Vrfy k (m, Mac k (m)) = 1. Security of message authentication codes Our goal is to detect any attempt by the adversary to modify the transmission. To accomplish this we seek MACs such that no polynomial-time adversary can generate a valid tag on any new message that was not previously sent. Of course, the adversary may have observed (or even influenced the content) of many messages and their corresponding tags before taking action.

5 Secure MACs The message authentication experiment Mac-forge A,Π (n): 1. A random key k is generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Mac k ( ). The adversary eventually outputs a pair (m, t). Let Q denote the set of all queries that A asked to its oracle. 3. The output of the experiment is defined to be 1 if and only if (1) Vrfy(m, t) = 1; and (2) m Q. Definition 4.2. A message authentication code Π =(Gen, Mac, Vrfy) is existentially unforgeable under an adaptive chosen-message attack if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[Mac-forge A,Π (n) = 1] negl(n). Bullwinkle buys a bike from Bois Bullwinkle buys a bike from Bois Transfer $100 from my account to Bois Transfer $100 from my account to Bois -- &*#@ Sender Transfer $100 from my account to Bois -- &*#@ Receiver Adversary Authentication 15-23

6 Sometime later Sometime... later... out to lunch Transfer $100 from my account to Bois -- Receiver Adversary Authentication Replay attacks and MACs MACs provide no protection against replay attacks. The problem is that MACs do not incorporate any notion of state in their verification algorithms. Thus, every time a valid pair (m, t) ispresentedtovrfy k it returns the same answer. Protection against replay attacks is left to some higher-level application.

7 Two common techniques for dealing with replay attacks*: Sequence numbers: The sender assigns a unique sequence number i to each message which the receiver keeps track of. The MAC tag is computed over the concatenated message i m. Time stamps: Sender appends the current time to the message. When the receiver obtains a message, it checks whether the included time-stamp is within some acceptable window of the current time. Dealing with replay attacks *Both schemes have certain drawbacks. Constructing secure message authentication codes Construction 4.3. Let F be a pseudorandom function. Define a fixed-length MAC for messages of length n as follows: Gen: On input 1 n, choose k {0, 1} n uniformly at random. Mac: On input a key k {0, 1} n and a message m {0, 1} n, output the tag t := F k (m). (If m = k then output nothing.) Vrfy: On input a key k {0, 1} n, a message m {0, 1} n,and atagt {0, 1} n, output 1 if and only if t? = F k (m). (If m = k then output 0.) *Nice, but falls short of our goal. We show later how to convert any fixed length MAC into MAC that handles any length.

8 Our MAC is secure Theorem 4.4 If F is a pseudorandom function, then Construction 4.3 is a fixed-length MAC for messages of length n that is existentially unforgeable under an adaptive chose-message attack. Proof. Let A be a PPT adversary and define (n) def = Pr[Mac-forge A,Π (n) = 1]. Consider a message authentication code Π =( Gen, Mac, Vrfy) which is the same as Π =(Gen, Mac, Vrfy) except that a truly random function f is used instead of the function F k.certainly, Pr[Mac-forge A, Π (n) = 1] 2 n since for any message m Q, thevaluet = f (m) isuniformly distributed in {0, 1} n. Using an adversary A to construct a distinguisher Distinguisher D. D is given input 1 n and access to an oracle O : {0, 1} n {0, 1} n and works are follows: 1. Run A(1 n ). Whenever A queries its MAC oracle on a message, answer as follows: Query O with m and obtain response t; returnt to A 2. When A outputs (m, t) at the end of its execution, do: 2.1 Query O with m and obtain response ˆt. 2.2 If (1) ˆt = t; and (2) A never queried its MAC oracle on m, then output 1; otherwise output 0. It is clear the A runs in polynomial time since A does.

9 D s oracle is a pseudorandom function If D s oracle is a pseudorandom function, then the view A when run as a sub-routine by D is distributed identically to the view of A in experiment Mac-forge A,Π (n). Furthermore, D outputs 1 exactly when Mac-forge A,Π (n) = 1. We conclude Pr D Fk( ) (1 n )=1 = Pr[Mac-forge A,Π (n) = 1] = (n). where k {0, 1} n is chosen uniformly at random. D s oracle is a truly random function If D s oracle is a random function, then the view A when run as a sub-routine by D is distributed identically to the view of A in experiment Mac-forge A, Π (n). and again D outputs 1 exactly when Mac-forge A, Π (n) = 1. Thus, Pr D f ( ) (i n )=1 = Pr[Mac-forge A, Π (n) = 1] 1 2 n. where f Func n is chosen uniformly at random. Combining this with the previous slide, we have Pr D Fk( ) (i n )=1 Pr D f ( ) (i n 1 )=1 2 n. Since F is pseudorandom, it follow that there exists a negligible function negl with (n) 2 n negl(n) and is likewise negligible.

Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in