Message authentication



Similar documents
Cryptographic Hash Functions Message Authentication Digital Signatures

Message Authentication Codes

Message Authentication Codes. Lecture Outline

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Symmetric Crypto MAC. Pierre-Alain Fouque

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Authentication requirement Authentication function MAC Hash function Security of

Authentication and Encryption: How to order them? Motivation

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Cryptography and Network Security Chapter 12

MAC. SKE in Practice. Lecture 5

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Modes of Operation of Block Ciphers

CS155. Cryptography Overview

Authenticated encryption

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham

Table of Contents. Bibliografische Informationen digitalisiert durch

Talk announcement please consider attending!

One-Way Encryption and Message Authentication

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Provable-Security Analysis of Authenticated Encryption in Kerberos

Message Authentication

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

On the Security of CTR + CBC-MAC

Chapter 17. Transport-Level Security

Data integrity and data origin authentication

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Cryptography Overview

CIS433/533 - Computer and Network Security Cryptography

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Network Security Technology Network Management

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Identifying and Exploiting Padding Oracles. Brian Holyfield Gotham Digital Science

Hash Functions. Integrity checks

The Misuse of RC4 in Microsoft Word and Excel

Introduction to Computer Security

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Public Key Cryptography Overview

Overview of Symmetric Encryption

1 Step 1: Select... Files to Encrypt 2 Step 2: Confirm... Name of Archive 3 Step 3: Define... Pass Phrase

On the Security of Double and 2-key Triple Modes of Operation

Security Protocols/Standards

IT Networks & Security CERT Luncheon Series: Cryptography

Message Authentication Code

1. a. Define the properties of a one-way hash function. (6 marks)

The Keyed-Hash Message Authentication Code (HMAC)

Web Security Considerations

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Communication Security for Applications

Transport Layer Security (TLS)

Lecture 9 - Network Security TDTS (ht1)

Chapter 6 CDMA/802.11i

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

KeyStone Architecture Security Accelerator (SA) User Guide

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Message Authentication Codes 133

Lecture 9 - Message Authentication Codes

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

MACs Message authentication and integrity. Table of contents

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

Chapter 8. Network Security

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

UM0586 User manual. STM32 Cryptographic Library. Introduction

Password-based encryption in ZIP files

Network Security Protocols

Message authentication and. digital signatures

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Lecture 9: Application of Cryptography

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

EDA385 Embedded Systems Design. Advanced Course

Cryptographic Engine

Cryptographic mechanisms

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Fundamentals of Computer Security

Information Security

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

The Secure Sockets Layer (SSL)


CS 356 Lecture 29 Wireless Security. Spring 2013

Transcription:

Message authentication -- Hash based MAC unctions -- MAC unctions based on bloc ciphers -- Authenticated encryption (c) Levente Buttyán (buttyan@crysys.hu) Secret preix method MAC (x) = H( x) insecure! assume an attacer nows the MAC on x: M = H( x) he can produce the MAC on x y as M = (M,y), where x is x with padding and is the compression unction o H x 2 x L padding y padding CV 0 M M = MAC (x y) Message authentication 2

A similar mistae MAC (x) = H (x) where H (.) is H(.) with CV 0 = x 2 x L padding y padding K M M = MAC (x y) Message authentication 3 Secret suix method MAC (x) = H(x ) insecure i H is not collision resistant using a birthday attac, the attacer inds two inputs x and x such that H(x) = H(x ) (can be done o-line without the nowledge o ) then obtaining the MAC M on one o the inputs, say x, allows the attacer to orge a text-mac pair (x, M) weanesses MAC depends only on the last chaining variable ey is involved only in the last step x 1 x 2 x 2 x L x L padding CV 0 H(x) = H(x ) M Message authentication 4

nvelop method MAC K (x) = H( x ) a ey recovery attac has been discovered on this scheme (requiring 2 64 text-mac pairs or MD5 with 128-bit ey) although, not really practical, the attac still represents an architectural law Message authentication 5 HMAC HMAC (x) = H( ( opad) H( ( ipad) x ) ) where h is a hash unction with input bloc size b and output size n is padded with 0s to obtain a length o b bits ipad is 00110110 repeated b/8 times opad is 01011100 repeated b/8 times ipad x L padding 1 H CV 0 CV 1 inner opad M padding 2 H CV 0 CV 1 outer HMAC (x) Message authentication 6

ncrypted hash MAC K (x) = K (H(x)) o-line search or messages with colliding MAC values is possible here without the nowledge o H must be collision resistant! collision resistant hash unctions usually have larger output size than the bloc size o the bloc cipher which mode to use to encrypt the hash? two messages having the same hash value will have the same MAC value under all eys Message authentication 7 CBC-MAC x 2 x 3 x N 100 0 c N-1 c 1 c 2 c 3-1 CBC MAC is secure or messages o a ixed number o blocs orgery is possible i variable length messages are allowed CBC MAC optional c N Message authentication 8

A nown-text orgery given two text-mac pairs (x, M) and (x, M ), a third valid text-mac pair can be computed as ollows: (x 100 x 1 M x 2 x L, M ) x N 100 x 1 M x L 100 0 c N-1 c L-1 c 1 c N = M c 2 c L = M Message authentication 9 A chosen-text orgery given a nown text-mac pair (, M 1 ) request MAC or M 1, receive M 2 = (M 1 0) = (M 1 ) M 2 is the MAC o the message ( 0) M 1 last bloc o 0 0 (M 1 ) M 1 (M 1 ) Message authentication 10

Another chosen-text orgery given two nown text-mac pairs: (, M 1 ), (x 2, M 2 ) request MAC or message M 1 M 2 z, where z is an arbitrary bloc receive M 3 = (M 1 M 2 z M 1 ) = (M 2 z) M 3 is also the MAC or message x 2 z last bloc o M 1 M 2 z last bloc o x 2 z M 1 M 3 = (M 2 z) M 2 (z M 2 ) = M 3 Message authentication 11 How to use CBC-MAC in practice? use the optional inal encryption reduces the threat o exhaustive ey search (ey is (, ) ey length is doubled) prevents the previously presented existential orgeries has marginal overhead (only last bloc is encrypted multiple times) prepend the message with a bloc containing the length o the message beore the MAC computation use to encrypt the length and obtain = (length), and use as the MAC ey (i.e., use message dependent MAC eys) Message authentication 12

CMAC proposed to ix problems with CBC-MAC x 2 x N 100 0 c N-1 computed rom (0) c 1 c 2 CMAC (x) Message authentication 13 Authenticated encryption schemes simultaneously protect the conidentiality and the integrity o a message motivations: to prevent chosen-ciphertext attacs (such as the Vaudenay attac) the decryption oracle immediately recognizes improperly constructed ciphertexts and reuses to decrypt them attacer can construct a correct ciphertext only i he already nows the plaintext decryption oracle becomes useless eiciency (in some cases) needs ewer operations i the message is encrypted and the authentication tag is computed in a single pass approaches: specialized schemes (e.g., XCBC, OCB, CCM) combine regular encryption and MAC unctions (but be careul!) 1 (x, MAC 2 (x)) (chec or padding oracle attac!) 1 (x), MAC 2 (x) (chec or padding oracle attac!) 1 (x), MAC 2 ( 1 (x)) (considered to be the most secure approach) Message authentication 14

CCM mode CCM means CTR mode and CBC-MAC (two pass) authenticated encryption mode integrity protection is based on CBC-MAC encryption is based on CTR mode the same bloc cipher and ey is used or both operations inputs: K ey N nonce (should not repeat or a given ey K) m message to be protected a additional data to be authenticated only (e.g., message header) outputs: encrypted message encrypted authentication tag (MAC value) Message authentication 15 CCM computing the authentication tag irst bloc B 0 : message length next blocs containing a: MAC length: 2*M2 B 1 B 2 B x... 000 encoding(length(a)) a next blocs containing m: B x1 B x2 B n... 000 m Message authentication 16

CCM computing the authentication tag given B 0, B 1,, B n : X 1 K (B 0 ) X i1 K (X i B i ) or i = 1, 2,, n T irst-m-bytes(x n1 ) output T as the MAC value Message authentication 17 CCM encryption the ey stream blocs are computed as S i K (C i ) or i = 0, 1, 2, where C i is ormatted as: the irst length(m) octets o S 1, S 2, are XORed to m to produce the ciphertext S 0 is used to encrypt the authentication tag: U T irst-m-bytes(s 0 ) Message authentication 18

CCM notes security level o conidentiality and authenticity is in-line with other proposed authenticated encryption modes, e.g., OCB encryption o the authentication tag T or avoiding MAC collision attacs (attacer gets no inormation about the CBC-MAC results) same ey or MAC and encryption? No problem essentially never gets the same input (C i s are very liely dierent rom B i s) an intermediate value in the CBC-MAC computation may collide with a C i, but those values cannot be observed, and they aect only T which is encrypted eiciency two pass processing, but blocs used by the authentication unction match up the blocs used by the encryption unction nonce selection nonce values should be unique within the scope o a ey nonce can be a sequence number otherwise a pre-computation attac would be possible assume that the ey is 128 bits long choose a particular nonce N 0 choose 2 64 ey, and or each K store (K, S 1 ) when a genuine message with N 0 is sent, guess the irst 16 octets o the plaintext (usually higher layer header ields) and compute S 1 loo-up S 1 in the table (you will ind it with large probability due to the birthday paradox), the corresponding K value is the ey Message authentication 19 Summary naïve hash based MAC constructions are usually not secure better to use standard, well-studied constructions, e.g., HMAC CBC-MAC is interesting, because it does not need a hash unction, but it can use the same bloc cipher that is used or encryption, anyway existential orgeries against CBC-MAC exist, but there are countermeasures e.g., prepending additional context data such as message length to the message, multiple encryption o the last bloc, etc. authenticated encryption modes have some advantages eiciency: the two goals may be achieved in a single pass security: no inormation is leaed through a padding oracle Message authentication 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information