Presentation is loading. Please wait.

Presentation is loading. Please wait.

Message Authentication Codes

Similar presentations


Presentation on theme: "Message Authentication Codes"— Presentation transcript:

1 Message Authentication Codes
Instructor: Mohammad Sadeq Dousti

2 Copyright Notice These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0. Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: They credit the original author(s); Their work is used non-commercially; They license their work under CC BY-NC-SA 4.0. For further information, please consult: sa/4.0/legalcode

3 Outline Introduction to Integrity Definition of MAC Constructing Secure MACs CBC-MAC PMAC One-Time MACs

4 Introduction to Integrity
Integrity vs. Secrecy

5 Secure communication over an open channel:
Goal… Secure communication over an open channel: Secrecy: Prevent an eavesdropper (or possibly a more active adversary) from learning anything about the content of messages. Message integrity (or message authentication): Each party should be able to identify when a message it receives was sent by the party claiming to send it, and was not modified in transit. Goal: achieve message integrity by using symmetric cryptographic techniques to prevent the undetected tampering of messages sent over an open communication channel.

6 Definition of MAC

7 Message Authentication Code (MAC)
We consider a model where the communicating parties are not aware of the semantics of messages being exchanged. Why? In general, messages are not limited to meaningful texts. Arbitrary binary messages are allowed. The verification of incoming messages must be automatic, regardless of the context. In general, encryption does not solve the problem of message integrity. Example: CBC-mode encryption achieves IND-CPA security, but provides no means of tampering detection.

8 MAC: Syntax

9 Canonical verification
In most practical MACs, the Mac algorithm is deterministic. If the Mac algorithm is deterministic, the following verification algorithm Vrfyk(m, t) is possible: Compute t : Mack(m). Output 1 if t  t, and output 0 otherwise. This is referred to as the “canonical verification.” Even for deterministic MACs, it is useful to define a separate Vrfy algorithm in order to explicitly distinguish the semantics of authenticating a message vs. verifying its authenticity.

10 A potential timing attack
Consider the canonical verification algorithm. It computes the would-be tag t, and compares it with the received tag t. Assume that the comparison is performed using a library function such as strcmp() in C, which compares t and t one byte at a time, and rejects as soon as the first unequal byte is encountered. The rejection time depends on the position of the first unequal byte. An attack can be mounted if the adversary can measure the verification time. (How?) Moral: Use time-independent string comparison that always compares all bytes.

11 The following adversarial models conceivable:
The attacker only knows the MAC scheme. The attacker knows a number of messages, as well as their tags. ​Chosen-Message Attack (CMA): The attacker has access to a Mack() oracle. He can chose messages of his choice, and receive their tags. The attacker has access to both a Mack() oracle and a Vrfyk(,) oracle. In addition to mounting a CMA attack, he can submit messages and tags of his choice to Vrfyk(,), and check whether they are correctly verified. For canonical verification, the 4th adversarial models is equivalent to the 3rd mode. (Why?) Since most practical MACs satisfy this property, we pick CMA as our basic model.

12 The following adversarial goals conceivable:
Total break: The attacker can find the private key k. Universal forgery: The attacker outputs an efficient algorithm, which can forge a valid tag on any message. Why is this not necessarily equivalent to the 1st goal? Selective forgery: The attacker can forge a tag on an a priori chosen message, given to him prior to the attack. Existential forgery: The attacker can forge a valid tag on at least one message. We pick the strongest possible definition of security, which would protect against existential forgery. By unforgeability (UF), we mean existential forgery. Example: Consider the a MAC scheme , in which Gen(1n) generates a random n-bit key k. Mack(m)  m. Vrfyk(m, t)  1 if and only if t  m. This scheme is secure in the sense of “total break,” but is insecure in the sense of “universal forgery.”

13 UF-CMA security As justified earlier, the adversary does not have access to the verification oracle. We can provide such access if needed. A MAC scheme Π is UF-CMA secure if for every efficient 𝒜, there is a negligible function negl such that: Pr MAC–forge 𝒜,Π cma (𝑛)=1 ≤negl 𝑛 .

14 A stronger definition of security
The previous definition only requires that the adversary cannot forge a tag on a new message. The definition does not deem the following attack as a breach of security: The adversary forges a new tag t on a message m for which he already received one or more tags. As we will see, some applications require the stronger security requirement.

15 Strong UF-CMA (sUF-CMA) security
A MAC scheme Π is sUF-CMA secure if for every efficient 𝒜, there is a negligible function negl such that: Pr MAC–sforge 𝒜,Π cma (𝑛)=1 ≤negl 𝑛 .

16 Replay attacks MACs by themselves do not protect against replay attacks. This is because the verification algorithm does not keep state. Such protection should be provided at higher level, where the state can be stored by application using MAC. This is further discussed when we investigate the notion of secure channels.

17 Constructing MACs A Fixed-Length MAC

18 Assume we used a random function f R𝔽n as the Mack() algorithm.
Observation Assume we used a random function f R𝔽n as the Mack() algorithm. The key k is the description of f, which is exponential in n. So this is not an efficient solution, but let’s just investigate it. Then, the tag of any message m is f (m), which is picked uniformly. The probability that the adversary can forge a tag for a new message is at most 2n. We can simply replace the random function with a PRF, and prove the UF-CMA security by the assumption that PRFs are indistinguishable from RFs.

19 Construction

20 Proof of security Consider a scheme , which is exactly like the previous construction (), but uses random functions instead of PRFs. As stated before, the probability that an adversary (even an infinitely powerful one) can break the UF- CMA security of  is at most 2n. Let 𝒜 be an adversary which breaks the UF-CMA security of  with probability ϵ. Using 𝒜, we construct a PPT distinguisher D which has access to some oracle 𝒪, and distinguishes whether 𝒪 is a PRF or an RF with advantage ϵ.

21 Distinguisher D

22 Complete the proof of security.
Assignments Complete the proof of security. In particular, prove that Pr MAC–forge 𝒜,Π cma (𝑛)=1 ≤ 2 −𝑛 +𝜖 𝑛 . Hint: See THEOREM 4.6 in [KL14, p. 117]. Assume UF-CMA secure MACs exist. Give a construction of a deterministic MAC that is UF- CMA secure, but algorithm Mac is not a secure PRF. Give a construction of a MAC that is UF-CMA secure, but is not sUF-CMA secure. Give a construction of a MAC that is UF-CMA secure, but is no longer secure if the adversary is additionally allowed to access the verification oracle. See [KL14, p. 148]: Exercise 4.3 Exercise 4.5 Exercise 4.9 Assignment 2.(a) Mack(m) = 0 || Mack(m). Assignment 2.(b) Vrfyk(m, b||t) = Vrfyk(m, t) The adversary simply receives the tag 0||t on any message m from Mac oracle, and then output (m, 1||t). Assignment 2.(c) Vrfyk(m, b||t) does the following: If b = 0, output Vrfyk(m, t) If b = 1, let i be the numeric value of t. Output the ith bit of the key k.

23 An Arbitrary-Length MAC
Constructing MACs An Arbitrary-Length MAC

24 Domain Extension for MACs
In the previous construction, if Fk() is a block cipher, the MAC can only work for inputs of fixed length. This limitation is not acceptable in practice, as we want to preserve integrity for messages of arbitrary length. Domain Extension for MACs: Take a UF-CMA secure fixed-length MAC , and construct a UF- CMA secure arbitrary-length MAC .

25 Ideas that do NOT work (1)
ECB-like construction: Break a message to fixed- length blocks, and authenticate each individual block. m1 m2 m3 Mack(m1) Mack(m2) Mack(m3) Susceptible to block re-ordering attack.

26 Ideas that do NOT work (2)
ECB-like construction with block number: Like before, but authenticate block numbers as well. m1 m2 m3 Mack(1||m1) Mack(2||m2) Mack(3||m3) Susceptible to truncation attack.

27 Ideas that do NOT work (3)
ECB-like construction with block number and message length: Like before, but authenticate message length as well. m1 m2 m3 Mack(ℓ||1||m1) Mack(ℓ||2||m2) Mack(ℓ||3||m3) (m1, m2)  (t1, t2) (m1, m2)  (t1, t2) Then (m1, m2)  (t1, t2) Susceptible to mix-and-match attack: Forgery by having tags on two equal-length messages.

28 A working idea… Everything like before, but in addition authenticate a random message identifier. m1 m2 m3 Mack(r||ℓ||1||m1) Mack(r||ℓ||2||m2) Mack(r||ℓ||3||m3) (m1, m2)  (t1, t2) (m1, m2)  (t1, t2) Then (m1, m2)  (t1, t2) Provably secure construction (THEOREM 4.8 in [KL14, p. 120]), but very inefficient: It quadruples tag size!

29 CBC MAC

30 Why CBC? We want to construct MACs with short length. Can we use private-key encryption for this? In general, encryption can only be used for secrecy. But some encryption modes are very sensitive to message changes. For instance, in CBC-mode, if any bit of the message is changed, the final block will change. In contrast, the final block in CTR or OFB modes are not sensitive to changes in the middle blocks of the message.

31 Attempt 1 Compute CBC-mode encryption on the message, output the IV and the last block as the tag. Fk M1 C1 K + C0 M2 C2 M3 C3 IV 𝑀′= 𝑀 1 ′ , 𝑀 2 , 𝑀 3 𝑇′= 𝐼 𝑉 ′ , 𝐶 3 𝐼 𝑉 ′ ⊕ 𝑀 1 ′ =𝐼𝑉⊕ 𝑀 1 Forgery:

32 Attempt 2: Basic CBC-MAC
Compute CBC-mode encryption on the message with IV  0n, output the last block as the tag. Fk M1 C1 K + M2 C2 M3 C3 0n Susceptible to length-extension attacks: Given tag C1 on single-block message M1, output tag C1 on two-block message (M1, M1C1).

33 Basic CBC-MAC

34 Making basic CBC-MAC secure
Three approaches to prevent length-extension attacks: Use fixed-length messages. Prepend message m with its length |m|. This approach is not good for streaming applications. (Why?) Note that appending |m| to the end of the message and then computing the basic CBC-MAC is not secure. (Why?) ECBC-MAC: Change the scheme so that key generation chooses two independent, uniform keys k1  {0,1}n and k2  {0,1}n. To authenticate a message m, first compute the basic CBC-MAC of m using k1 and let t be the result; output the tag t  Fk2(t). All three approaches provide UF-CMA secure MACs. The proof is quite involved; see Section of [KL14, p. 125].

35 PMAC Parallelizable MAC

36 Designed by Black and Rogaway in 2002.
Introduction to PMAC Designed by Black and Rogaway in 2002. PMAC addresses a particular problem of the CBC- MAC: it is inherently sequential. HMAC is the same way — We’ll introduce HMAC after we investigating hash function. Other advantages of PMAC: PMAC is more than MAC: it is a PRF. PMAC works with any block cipher. PMAC works on arbitrary-length bit strings. PMAC provides arbitrary-length tags. Up to block length n. PMAC is deterministic

37 PMAC0: Similar to PMAC, but simpler!
message blocks  order-enforcing function with key k  PRF with key k1  XOR  PRF with key k2 

38 PMAC advantages over PMAC0
PMAC uses arithmetic in the finite field GF(2n) instead of arithmetic modulo N. Addition in GF(2n) is just an XOR. Multiplication is efficient by proper choice of parameters. By using arithmetic in GF(2n), the security reduction (t, ϵ)  (t, ϵ) is possible for a smaller value of ϵ, thus providing a somewhat better security bound. PMAC derives the key k as k  F(k1, 0n) and sets k2  k1. Hence PMAC uses a shorter secret key than PMAC0. Other advantages… (see [BS15, p. 242].)

39 PMAC with PRP is incremental
The goal of incremental cryptography is to design cryptographic algorithms with the property that: having applied the algorithm to a message, it is possible to quickly update the result of the algorithm for a modified message, rather than having to re-compute it from scratch. Assume that PMAC/PMAC0 is computed for m, and the output is the tag t. Let m be the result of changing block number i of m from ai to ai. For PMAC0: ​ 𝑡 1 ≔ 𝐹 −1 𝑘 2 ,𝑡 ​ 𝑡 2 ≔ 𝑡 1 ⊕𝐹( 𝑘 1 , 𝑎 𝑖 +𝑖𝑘 mod 𝑁)⊕𝐹( 𝑘 1 , 𝑎 𝑖 ′ +𝑖𝑘 mod 𝑁) ​𝑡′≔𝐹 𝑘 2 , 𝑡 2

40 (Information-Theoretic MACs)
One-Time MACs (Information-Theoretic MACs)

41 Introduction Perfect secrecy provided protection against infinitely powerful adversaries, who observed a single ciphertext. Can we define and construct MACs which can resist infinitely powerful adversaries? A similar model can be used, where the adversary may only observe a single message-tag pair. We certainly cannot hope that the probability that an adversary outputs a valid tag on a previously unauthenticated message is 0. For an n-bit tag, the adversary can always forge a correct tag with probability 2n by chance!

42 One-time ϵ-security A MAC scheme Π is one-time ϵ-secure if for every (even infinitely powerful) 𝒜 : Pr MAC–forge 𝒜,Π 1−time (𝑛)=1 ≤𝜖.

43 Strongly-universal hash function (UHF)
Equivalently, two conditions should hold: ​For all 𝑚∈𝕄 and 𝑘 ← 𝑅 𝕂, the random variable ℎ 𝑘 (𝑚) is uniformly distributed over 𝕋. For all distinct 𝑚, 𝑚 ′ ∈𝕄 and for 𝑘 ← 𝑅 𝕂, the random variables ℎ 𝑘 (𝑚) and ℎ 𝑘 (𝑚′) are independent. To construct information-theoretic MACs, we need a simple tool called strong UHFs. DEFINITION: A function ℎ:𝕂×𝕄→𝕋 is a strong UHF if for all distinct 𝑚, 𝑚 ′ ∈𝕄 and all 𝑡, 𝑡 ′ ∈𝕋 it holds that: Pr 𝑘←𝕂 ℎ 𝑘 𝑚 =𝑡∧ ℎ 𝑘 𝑚′ =𝑡′ = 1 𝕋 2 . Strong UHFs are functions whose values at any pair of distinct points is independent. Thus, they are sometimes called pairwise-independent hash functions or strong 2-UHF.

44 Example Let p be any prime number. 𝕄=𝕋= ℤ 𝑝 A key (a, b) consists of a pair of elements from ℤ 𝑝 . Thus 𝕂= ℤ 𝑝 × ℤ 𝑝 . ℎ 𝑎,𝑏 𝑚 =[𝑎⋅𝑚+𝑏 mod 𝑝] ASSIGNMENT: Prove that the above function is a strong UHF. Hint: See THEOREM 4.26 in [KL14, 144].

45 Construction of information-theoretic MACs
ASSIGNMENT: Prove that the above function is a 1/|𝕋|- secure one-time MAC for messages in 𝕄. Hint: See THEOREM 4.25 in [KL14, 144].

46 As shown next, we can convert a one-time MAC to a many-time MAC.
Some observations The previous construction of information-theoretic MAC is secure as long as 1/|𝕋| is negligible. Example: If 𝕋  {0,1}n, then |𝕋|  2n, and the construction is secure. To preserve information-theoretic security of the MAC, each key must be used for a single message. As in OTP! As shown next, we can convert a one-time MAC to a many-time MAC.

47 Let F be a PRF, and MAC be a one-time MAC.
Carter–Wegman MAC Let F be a PRF, and MAC be a one-time MAC. ​Carter–Wegman MAC is defined as follows: CW−MAC 𝑘 1 , 𝑘 2 (𝑚)= 𝑟, 𝐹 𝑘 1 𝑟 ⊕ Mac 𝑘 2 𝑚 Notice that CW-MAC is probabilistic, and thus is not a PRF. CW-MAC is a PRF-based XOR encryption of the one-time MAC Mac 𝑘 2 𝑚 of the message. As such, CW-MAC(m) is a many-time MAC (in the computational sense) for m𝕄 with a single key (k1, k2). Slow Short input Fast Long input

48 References Chapter 4 of [KL14]. Chapters 6 and 7 of [BS15]
[BGG] M. Bellare, O. Goldreich & S. Goldwasser. “Incremental Cryptography and Application to Virus Protection,” STOC, 1995. [BS15] D. Boneh & V. Shoup. “A Graduate Course in Applied Cryptography,” Available online: [KL14] J. Katz & Y. Lindell. “Introduction to Modern Cryptography: Principles and Protocols,” 2nd Edition, CRC Press, 2014.


Download ppt "Message Authentication Codes"

Similar presentations


Ads by Google