Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Message authentication andcryptographic hashing
2MMC10 Cryptology
Andreas Hulsing
September 20, 2018
A. Hulsing 2MMC10 Cryptology 1 / 12
Message authentication
Sometimes we want more than secrecy!
Acknowledgement of receipt, social communication, source ofexecutable, . . .
We need integrity and authenticity!
Encryption?⇒ Authenticity / integrity?
PRG-ENC, PRF-ENC, ... any stream cipher allowscontrolled bit-flips. If format is known this may be disastrous
Block ciphers make similar attacks harder but no guarantees.
ECB-mode allows to switch order of blocks, repeat blocks, etc.
A. Hulsing 2MMC10 Cryptology 2 / 12
Message authentication
Sometimes we want more than secrecy!
Acknowledgement of receipt, social communication, source ofexecutable, . . .
We need integrity and authenticity!
Encryption?⇒ Authenticity / integrity?
PRG-ENC, PRF-ENC, ... any stream cipher allowscontrolled bit-flips. If format is known this may be disastrous
Block ciphers make similar attacks harder but no guarantees.
ECB-mode allows to switch order of blocks, repeat blocks, etc.
A. Hulsing 2MMC10 Cryptology 2 / 12
Message authentication
Sometimes we want more than secrecy!
Acknowledgement of receipt, social communication, source ofexecutable, . . .
We need integrity and authenticity!
Encryption?⇒ Authenticity / integrity?
PRG-ENC, PRF-ENC, ... any stream cipher allowscontrolled bit-flips. If format is known this may be disastrous
Block ciphers make similar attacks harder but no guarantees.
ECB-mode allows to switch order of blocks, repeat blocks, etc.
A. Hulsing 2MMC10 Cryptology 2 / 12
Message authentication
Sometimes we want more than secrecy!
Acknowledgement of receipt, social communication, source ofexecutable, . . .
We need integrity and authenticity!
Encryption?⇒ Authenticity / integrity?
PRG-ENC, PRF-ENC, ... any stream cipher allowscontrolled bit-flips. If format is known this may be disastrous
Block ciphers make similar attacks harder but no guarantees.
ECB-mode allows to switch order of blocks, repeat blocks, etc.
A. Hulsing 2MMC10 Cryptology 2 / 12
Message authentication codes (MAC)
Definition (message authentication code)
A message authentication code or MAC is a tuple of probabilisticpolynomial-time algorithms MAC = (Gen,Mac,Vrfy) over amessage space M, fulfilling the following:
1 Upon input 1n, the algorithm Gen outputs a key k . The setof possible outputs of Gen is called the key space K.
2 The algorithm Mac receives as input a key k ∈ K and amessage m ∈M, and outputs a tag t ∈ T . The set ofpossible outputs of Mac is called tag space T .
3 The algorithm Vrfy receives as input a key k ∈ K, messagem ∈M, and tag t ∈ T , and outputs a bit b ∈ {0, 1}.
4 Correctness: For every n, every k ←− Gen(1n), and everym ∈M it holds that Vrfyk(m,Mack(m)) = 1.
A. Hulsing 2MMC10 Cryptology 3 / 12
Existential unforgeability under (adaptive) chosen messageattacks (EU-CMA) -Experiment
Experiment (ExpEU−CMAA,MAC (n))
1 k ← Gen(1n)
2 (m, t)← AMack (·)(1n). Let {mi}q1 denote A’s queries toMack
3 if (Vrfyk(m, t) := 1, and m 6∈ {mi}q1) return 1
4 else return 0.
A. Hulsing 2MMC10 Cryptology 4 / 12
Existential unforgeability under (adaptive) chosen messageattacks (EU-CMA) -Definition
Definition (EU-CMA)
A message authentication code MAC = (Gen,Mac,Vrfy) over amessage space M is existentially unforgeable under an adaptivechosen-message attack, or just secure, if for all probabilisticpolynomial-time adversaries A, there exists a negligible functionnegl such that:
Pr[ExpEU−CMA
A,MAC (n) = 1]≤ negl(n)
A. Hulsing 2MMC10 Cryptology 5 / 12
Existential unforgeability under (adaptive) chosen messageattacks (EU-CMA) -Definition
Definition (EU-CMA)
A message authentication code MAC = (Gen,Mac,Vrfy) over amessage space M is (t, ε) existentially unforgeable under anadaptive chosen-message attack, if for all t-time adversaries A
Pr[ExpEU−CMA
A,MAC (n) = 1]≤ ε
A. Hulsing 2MMC10 Cryptology 6 / 12
Remarks
There exists a constant time attack with success probability1/|T | against every MAC ⇒ Tags must not be too short
MAC’s do not prevent replay attacks!
Replay attacks have to be handled on protocol level (e.g.,using sequence numbers).
A. Hulsing 2MMC10 Cryptology 7 / 12
Remarks
There exists a constant time attack with success probability1/|T | against every MAC ⇒ Tags must not be too short
MAC’s do not prevent replay attacks!
Replay attacks have to be handled on protocol level (e.g.,using sequence numbers).
A. Hulsing 2MMC10 Cryptology 7 / 12
PRF = MAC
Theorem
A (t, ε)-secure PRF F leads a (t, ε)-secure MAC with
Gen(1n) returns k ←R {0, 1}n.
Mack(m) returns t := Fk(m).
Vrfyk(m, t) returns 1 if t = Fk(m), and 0 otherwise.
Proof see board.
A. Hulsing 2MMC10 Cryptology 8 / 12
CBC-MAC
Construction
Let F be an efficient, length-preserving keyed function over {0, 1}n.CBC-MAC has message space M = ({0, 1}`n). The algorithms areas follows:
Gen(1n) returns k ←R {0, 1}n.
Mack(m) upon input key k ∈ {0, 1}n and a message m oflength `n, do the following:
1 Denote m = m1, . . . ,m` where each mi is oflength n, and set t0 = 0n.
2 For i = 1 to `, set ti ← Fk(ti−1 ⊕mi ).3 Output t`.
Vrfyk(m, t) returns 1 if t = Mack(m), and 0 otherwise.
A. Hulsing 2MMC10 Cryptology 9 / 12
Variable message length CBC-MAC
CBC-MAC is not secure for variable length messages
Solutions for variable `:
Derived key: Compute k ′ = Fk(`) and use k ′ to computet = Mack ′(m)
Prepend length: Compute t = Mack(`‖m).
Encrypted tag: Use two keys k1, k2 ∈ {0, 1}n, computet ′ = Mack1(m) and output t = Fk2(t ′). We can generatek1, k2 from a single key using F as a length-doubling PRG(< k1, k2 >=< Fk(0),Fk(1) >)
A. Hulsing 2MMC10 Cryptology 10 / 12
Variable message length CBC-MAC
CBC-MAC is not secure for variable length messages
Solutions for variable `:
Derived key: Compute k ′ = Fk(`) and use k ′ to computet = Mack ′(m)
Prepend length: Compute t = Mack(`‖m).
Encrypted tag: Use two keys k1, k2 ∈ {0, 1}n, computet ′ = Mack1(m) and output t = Fk2(t ′). We can generatek1, k2 from a single key using F as a length-doubling PRG(< k1, k2 >=< Fk(0),Fk(1) >)
A. Hulsing 2MMC10 Cryptology 10 / 12
Padding
What if the message length is not a multiple of the blocklength: |m| 6= x · n?
Solution: Padding
Expand message to match multiple of block length.
Usually injective function Pad : {0, 1}∗ → ({0, 1}n)∗.
E.g., m→ m‖10∗.
Properties depend on cryptographic application:
Encryption - invertibleMAC - injective
Often used for additional purposes: Randomization, orencoding message length.
A. Hulsing 2MMC10 Cryptology 11 / 12
Padding
What if the message length is not a multiple of the blocklength: |m| 6= x · n?
Solution: Padding
Expand message to match multiple of block length.
Usually injective function Pad : {0, 1}∗ → ({0, 1}n)∗.
E.g., m→ m‖10∗.
Properties depend on cryptographic application:
Encryption - invertibleMAC - injective
Often used for additional purposes: Randomization, orencoding message length.
A. Hulsing 2MMC10 Cryptology 11 / 12
Secrecy + Authenticity
We want a combination of encryption and MAC that providesIND-CCA and EU-CMA security.
Options:
Encrypt-and-MAC: c = Enck1(m), t = Mack2(m).
MAC-then-Encrypt. t = Mack2(m), c = Enck1(m‖t).
Encrypt-then-MAC. c = Enck1(m), t = Mack2(c).
A. Hulsing 2MMC10 Cryptology 12 / 12
Secrecy + Authenticity
We want a combination of encryption and MAC that providesIND-CCA and EU-CMA security.
Options:
Encrypt-and-MAC: c = Enck1(m), t = Mack2(m).
MAC-then-Encrypt. t = Mack2(m), c = Enck1(m‖t).
Encrypt-then-MAC. c = Enck1(m), t = Mack2(c).
A. Hulsing 2MMC10 Cryptology 12 / 12
Secrecy + Authenticity
We want a combination of encryption and MAC that providesIND-CCA and EU-CMA security.
Options:
Encrypt-and-MAC: c = Enck1(m), t = Mack2(m). Possiblyinsecure as MAC might leak!
MAC-then-Encrypt. t = Mack2(m), c = Enck1(m‖t).
Encrypt-then-MAC. c = Enck1(m), t = Mack2(c).
A. Hulsing 2MMC10 Cryptology 12 / 12
Secrecy + Authenticity
We want a combination of encryption and MAC that providesIND-CCA and EU-CMA security.
Options:
Encrypt-and-MAC: c = Enck1(m), t = Mack2(m). Possiblyinsecure as MAC might leak!
MAC-then-Encrypt. t = Mack2(m), c = Enck1(m‖t).Possibly insecure but counter-examples are more involved
Encrypt-then-MAC. c = Enck1(m), t = Mack2(c).
A. Hulsing 2MMC10 Cryptology 12 / 12
Secrecy + Authenticity
We want a combination of encryption and MAC that providesIND-CCA and EU-CMA security.
Options:
Encrypt-and-MAC: c = Enck1(m), t = Mack2(m). Possiblyinsecure as MAC might leak!
MAC-then-Encrypt. t = Mack2(m), c = Enck1(m‖t).Possibly insecure but counter-examples are more involved
Encrypt-then-MAC. c = Enck1(m), t = Mack2(c). Secure!(And a way to turn an IND-CPA secure encryption into anIND-CCA secure one if MAC has unique tags.)
A. Hulsing 2MMC10 Cryptology 12 / 12