Message Authentication Codes. Lecture Outline



Similar documents
Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Symmetric Crypto MAC. Pierre-Alain Fouque

One-Way Encryption and Message Authentication

Authentication requirement Authentication function MAC Hash function Security of

Cryptography and Network Security Chapter 12

Message Authentication

Cryptographic Hash Functions Message Authentication Digital Signatures

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Message Authentication Codes

Public Key Cryptography Overview

Message authentication

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Computer Security: Principles and Practice

Authenticated encryption

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Provable-Security Analysis of Authenticated Encryption in Kerberos

Signature Schemes. CSG 252 Fall Riccardo Pucella

Introduction to Computer Security

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Message Authentication Code

Modes of Operation of Block Ciphers

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Message authentication and. digital signatures

MAC. SKE in Practice. Lecture 5

Introduction to Cryptography CS 355

Table of Contents. Bibliografische Informationen digitalisiert durch

Hash Functions. Integrity checks

Fundamentals of Computer Security

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Data integrity and data origin authentication

CS155. Cryptography Overview

CIS433/533 - Computer and Network Security Cryptography

Authentication and Encryption: How to order them? Motivation

Network Security Technology Network Management

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Talk announcement please consider attending!

1 Message Authentication

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

CSE/EE 461 Lecture 23

IT Networks & Security CERT Luncheon Series: Cryptography


Security Policy. Trapeze Networks

Project: Simulated Encrypted File System (SEFS)

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Overview of Symmetric Encryption

1 Signatures vs. MACs

ARCHIVED PUBLICATION

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Digital Signature. Raj Jain. Washington University in St. Louis

Cryptography and Network Security Chapter 11

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Communications security

Remotely Keyed Encryption Using Non-Encrypting Smart Cards

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

IronKey Data Encryption Methods

CRYPTOGRAPHY IN NETWORK SECURITY

The Keyed-Hash Message Authentication Code (HMAC)

MACs Message authentication and integrity. Table of contents

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

SECURITY IN NETWORKS

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Authentication, digital signatures, PRNG

Practice Questions. CS161 Computer Security, Fall 2008

The Misuse of RC4 in Microsoft Word and Excel

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Client Server Registration Protocol

Chapter 10. Network Security

Chapter 6 Electronic Mail Security

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Cryptography Overview

Chapter 17. Transport-Level Security

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Cryptography & Network Security

Digital Signatures. Prof. Zeph Grunschlag

Overview of Public-Key Cryptography

Lecture 9: Application of Cryptography

SENSE Security overview 2014

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Recommendation for Applications Using Approved Hash Algorithms

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

EXAM questions for the course TTM Information Security May Part 1

Chapter 8. Network Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Cryptography and Network Security Chapter 15

Transcription:

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1

Limitation of Using Hash Functions for Authentication Require an authentic channel to transmit the hash of a message anyone can compute the hash value of a message, as the hash function is public not always possible How to address this? use more than one hash functions use a key to select which one to use Hash Family A hash family is a four-tuple (X,Y,K,H ), where X is a set of possible messages Y is a finite set of possible message digests K is the keyspace For each K, there is a hash function h K H Each h K : Alternatively, one can think of H as a function K X Y 2

Message Authentication Code A MAC scheme is a hash family, used for message authentication MAC = C K (M) The sender and the receiver share K The sender sends (M, C k (M)) The receiver receives (X,Y) and verifies that C K (X)=Y, if so, then accepts the message as from the sender To be secure, an adversary shouldn t be able to come up with (X,Y) such that C K (X)=Y. Constructing MAC from Hash Functions Given a cryptographic (iterative) hash function h, Define C K (M) to be h(m) with K as IV Is this secure? Given a message x and its MAC C K (x), the adversary can construct x and C K (x ) let pad(x) be the padding added to x let x =x pad(x) w, y =x pad(x ) then C K (x ) can be computed from C K (x) 3

Model for Iterated Hash Functions original input x append padding bits preprocessing append length formatted input x 1, x 2... x n each x i a t-bit block ƒ x i iterated processing compression function f: {0,1} m+t {0,1} m H i-1 H i H t H 0 =IV H i =f(h i-1,x i ) g output h(x)=g(h n ) Existential Forgery Attack against MAC Let C be a MAC function C K (M) is the MAC for M under K. Challenger Picks K at random q times x i C K (x i ) x,y Adversary Attacker wins game if x {x 1,,x q } and C K (x)=y 4

Selective Forgery Attack Against MAC Let C be a MAC function C K (M) is the MAC for M under K. Challenger Picks K at random, Picks a random x q times x x i x C K (x i ) y Adversary Attacker wins game if and C K (x)=y MAC Security The pair (x, z) is called a forgery A (ε,q) forger can produce a forgery with probability ε, after making q queries generally talks about existential forgery The attacker against the MAC scheme C K (M)=h(M) with K as IV is a (1,1) forger 5

Constructing MAC using Hash Functions Are the following MAC schemes secure? What kind of forgers exist for them? C K (M) = h(k M), where h is a cryptographic hash function HMAC Goals Use available hash functions without modification. Preserve the original performance of the hash function without incurring a significant degradation. Use and handle keys in a simple way. Allow easy replacement of the underlying hash function in the event that faster or more secure hash functions are later available. Have a well-understood cryptographic analysis of the strength of the authentication mechanism based on reasonable assumptions on the underlying hash function. 6

HMAC HMAC K = Hash[(K + opad) Hash[(K + ipad) M)]] K + is the key padded out to input block size of the hash function and opad, ipad are specified padding constants Key size: L/2 < K < L MAC size: at least L/2, where L is the hash output HMAC Overview 7

HMAC Security Security of HMAC relates to that of the underlying hash algorithm If used with a secure hash functions (s.t. SHA1) and according to the specification (key size, and use correct output), not known practical attacks against HMAC In general, HMAC be attacked as follows: brute force on the key space attacks on the hash function itself birthday attack, although the use of key makes this attack more difficult attacks against the compression function CBC-MAC Given a block cipher E with block size m Given message M = M 1 M 2 M n MAC of M is E k (M) z 0 =IV=0 m z i = E k (z i-1 M i ) for 1 i n MAC=z n Random IV is needed in CBC encryption to prevent codebook attack on first block, not needed here. 8

Encryption Modes: CBC next input depends of previous output Plaintext is M1, M2, M3, M4, Ciphertext is: C 1 = IV E k (M 1 ) C 2 =C 1 E k (M 2 ) C 3 =C 2 E k (M 3 ) C 4 =C 3 E k (M 4 ) M 1 M 2 M 3 IV E k E k E k C 1 C 2 Security of CBC-MAC Secure for messages of a fixed number of blocks assuming the block cipher is PRP Not secure with variable lengths, example attack given three pairs of messages/macs (x1,y1) (x2,y2), (x1 z,y3), then y1= E K [IV x1] y2= E K [IV x2] y3= E K [y1 z]=e K [y2 (z y1 y2)] let z =(z y1 y2), (x2 z,y3) is also a valid pair 9

Optional Security Enhancement for CBC-MAC MAC of M is z 0 =IV=0 m z i = E K1 (z i-1 M i ) for 1 i n MAC=E K1 D K2 [z n ] Reduces threat of exhaustive key search Defends against the previous attack Data Integrity Combined with Encryption Encryption alone does not guarantee data integrity Combining encryption with hash C=E K [x h(x)] breaking encryption also compromises integrity may be vulnerable to known-plaintext attack 10

MAC with Encryption C=E K [x h K (x)] separate keys used for encryption & for MAC the algorithms E and h should be independent precludes exhaustive key search on MAC key Alternative 1: C=E K [x], h K (E K [x]) allows message authentication without knowing x or K authenticates only the ciphertext Alterative 2: E K [x],h K (x) requires h K (x) does not leak information about x CCM Mode CCM mode is a NIST standard that provides an authenticated encryption MAC is produced as a part of the encryption process CCM mode uses CTR mode for encryption and CBC-MAC for authentication Given message M = M 1 M 2 M n C i = M i E k (ctr+i mod 2 m ) temp=cbc-mac(m,k) and C = temp E k (ctr) Return C 1. C n C 11

Number theory Readings: Next Lectures.. Stingson: 5.1, 5.2, 5.4 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information