MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016

Introduction MACs Timing attacks

MACs

Message authentication and integrity

Foundations of CryptographyComputer Science Department

Wellesley College

Fall 2016


Table of contents

Introduction

MACs

Timing attacks


Secure communication and message integrity

Image a supermarket chain sendsan email request to purchase10,000 creates of coke⇤. Thesupplier has to consider:

1. Is the order authentic, i.e.,did the chain really issue anorder, or was it spoofed.

2. Even if it assuredly camefrom the chain, the suppliermust still ask whether thedetails are exactly asintended.

*The order itself is not secret and therefore the question of privacy does not

arise.


Encryption vs. Message Authentication

• Why not use encryption to insuremessage integrity? After all if theadversary cannot figure out whatyou are saying, what harm can shedo?

• Consider randomized counter modewhich we proved hasindistinguishable encryption undera chosen-plaintext attack.

• If the message structure is known(or can be guessed), then theattacker can manipulate ciphertextto cause predictable changes in theplaintext.*

*How?


Using privacy to achieve authentication

• Suppose Bullwinkle transmits anASCII message M100 whichindicates that Rocky should pleasetransfer $100 from checkingaccount of Bullwinkle to checkingaccount of Boris.

• The adversary Boris wants tochange the amount from the $100to $900. Now if M100 had beensent in the clear, Boris could easilymodify it.

• But if M100 is encrypted so thatciphertext C100 is sent, how is Boristo modify C100 so as to makeRocky recover the di↵erentmessage M900?


Not so fast*

*The format of the message is known to all parties.


And another thing ...

• In fact, sometimes confidentiality only gets in the way.

• We don’t encrypt our checks when we sign them.

• With message encryption, the protection is lost when themessage is decrypted. In addition, there is an overheadassociated with encryption and decryption


The problem in a nutshell

Authentication 15-3

Data authenticity or integrity

Sender S wants to send a message M to receiver R in such a way that R will be sure it came from S

But, adversary A controls the communications

channel.


The solution: Message Authentication Codes (MACs)

Authentication 15-4

Message authentication code

One solution is to attach a fixed-length “tag” to the original message.

The tag, or MAC, serves to validate the authenticity of the message.

*Confidentiality isn’t always needed. In fact, sometimes confidentially only getsin the way.


Message Authentication Codes

Definition 4.1. A message authentication code (MAC) is a tuple ofprobabilistic polynomial-time algorithms (Gen, Mac, Vrfy) suchthat:

1. The key-generation algorithm Gen takes as input the securityparameter 1n and outputs a key k with |k | � n.

2. The tag-generation algorithm MAC takes as input a key k anda message m 2 {0, 1}⇤, and output a tag t. Since thisalgorithm may be randomized, we write t Mack(m).

3. The verification algorithm Vrfy takes as input a key k , amessage m, and a tag t. It outputs a bit b with b = 1meaning valid and b = 0 meaning invalid. We assume WLOGthat Vrfy is deterministic and so write this as b := Vrfyk(m, t).

It is required that for every n, k ,m Vrfyk(m,Mack(m)) = 1.


Canonical verification

• For deterministic message authentication codes, the canonicalway to perform verification is to simply re-compute the tagand check for equality.


Security of message authentication codes

• Our goal is to detect anyattempt by the adversary tomodify the transmission.

• To accomplish this we seekMACs such that nopolynomial-time adversarycan generate a valid tag onany ”new” message that wasnot previously sent.

• Of course, the adversarymay have observed (or eveninfluenced the content) ofmany messages and theircorresponding tags beforetaking action.


Secure MACs

The message authentication experiment Mac-forgeA,⇧(n):

1. A random key k is generated by running Gen(1n).

2. The adversary A is given input 1n and oracle access toMack(·). The adversary eventually outputs a pair (m, t). LetQ denote the set of all queries that A asked to its oracle.

3. The output of the experiment is defined to be 1 if and only if(1) Vrfy(m, t) = 1; and (2) m 62 Q.

Definition 4.2. A message authentication code⇧ = (Gen,Mac,Vrfy) is existentially unforgeable under an adaptive

chosen-message attack if for all probabilistic polynomial-timeadversaries A there exists a negligible function negl such that

Pr[Mac-forgeA,⇧(n) = 1] negl(n).


Bullwinkle buys a bike from Bois

Authentication 15-23

Bullwinkle buys a bike from Bois

Transfer $100 from my account to Bois

Adversary

Sender

Receiver

Transfer $100 from my account to Bois -- &*#@

Transfer $100 from my account to Bois -- &*#@


Sometime later ...

Authentication 15-24

Sometime later ...

Adversary

Receiver Transfer $100 from my account to Bois -- &*#@

out to lunch


Replay attacks and MACs

• MACs provide no protectionagainst replay attacks.

• The problem is that MACsdo not incorporate anynotion of state in theirverification algorithms.Thus, every time a valid pair(m, t) is presented to Vrfykit returns the same answer.

• Protection against replayattacks is left to somehigher-level application.


Dealing with replay attacks

Two common techniques fordealing with replay attacks*:

Sequence numbers: The senderassigns a unique sequencenumber i to each message whichthe receiver keeps track of. TheMAC tag is computed over theconcatenated message i |m.

Time stamps: Sender appendsthe current time to the message.When the receiver obtains amessage, it checks whether theincluded time-stamp is withinsome acceptable window of thecurrent time.

*Both schemes have certain drawbacks.


New tags on old messages

• Secure MACs ensure that an adversary cannot generate avalid tag on a new message that was never previouslyauthenticated.

• It does not rule out the possibility that an attacker might beable to generate a new tag on a previously authenticatedmessage.

• We may want to ensure that this cannot happen. To do so weconsider a modified experiment Mac-sforge that is definedexactly as Mac-forge except that now the set Q containspairs, (m, t) of oracle queries and their responses.

• An adversary succeeds if and only if A outputs (m, t) suchthat Vrfyk(m, t) = 1 and (m, t) /2 Q.


Strong MACs

The message authentication experiment Mac-sforgeA,⇧(n):

1. A random key k is generated by running Gen(1n).

2. The adversary A is given input 1n and oracle access toMack(·). The adversary eventually outputs a pair (m, t). LetQ denote the set of all pairs,(m, t) that A queried Mack(m)and received tag t in response.

3. The output of the experiment is defined to be 1 if and only if(1) Vrfy(m, t) = 1; and (2) (m, t) 62 Q.

Definition 4.3. A message authentication code⇧ = (Gen,Mac,Vrfy) is strongly secure if for all probabilisticpolynomial-time adversaries A there exists a negligible functionnegl such that

Pr[Mac-sforgeA,⇧(n) = 1] negl(n).


Verification

Proposition 4.4. Let ⇧ = (Gen,Mac,Vrfy) be a secure MAC thatuses canonical verification, then ⇧ is a strong MAC.*

One can also consider an adversary who interacts with an honestreceiver, sending m

0, t 0 to the receiver to learn whetherVrfyk(m

0, t 0) = 1.

It is not hard to incorporate this into our definition of MACsecurity. However, for MACs that use canonical verification itmakes no di↵erence, any such MAC that satisfies Definition 4.2also remains secure when verification queries are possible.**

*Proof is left as an exercise.

**You guessed it, another exercise.


Things that go bark in the night

• Consider an adversary whocan send message/tag pairsto the receiver and learn notonly whether the receiveraccepts or rejects, but alsothe time it takes to makethe decision.

• We show that a naturalimplementation of MACverification leads to an easilyexploitable vulnerability.

*This attack, which an example of a side-channel attack, shows that certain

real-world attacks are not captured by the usual definitions.


A potential timing attack

Assume a MAC using canonical verification that uses a standardroutine (like strcmp in C) for byte comparisons.

• Suppose the attacker already knows the first i � 0 bytes ofthe tag for message m.

• The attacker sends (m, t0), . . . , (m, t255) to the receiver,where tj is the string with the first i bytes set correct, the(i +1)th-byte equal to j , and the remaining bytes set to 0x00.

• All of these are likely to be rejected.* Else, for exactly one ofthese tags, say tj the first (i + 1) bytes will match the correcttag and rejection will take slightly longer. The attacker learnsthe (i + 1)th byte of the correct tag is j .

*If not the attacker wins right away.


Right, but how realistic is this?

• This attack was carried outagains the MACs used toverify code updates in theXbox360.

• The implementation of MACverification had a di↵erenceof 2.2 milliseconds betweenrejection times.

• Attackers were able toexploit this and load piratedgames onto the hardware.

Documents

MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016