m t Mac k m k m t Vrfy k m t 1 m t m t m k k k m t m t Vrfy k m t1 k m t m t c ookie t cookie cookie c ookie t price10 ID: 998605
Download Presentation The PPT/PDF document "Cryptography Lecture 10 k" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. CryptographyLecture 10
2. kmt = Mack(m)km, tVrfyk(m’, t’) = 1?m’, t’
3. m, tmkk
4. km, tm, tVrfyk(m, t)=1?km, tm, t
5. cookie, tcookiecookiecookie, t…price=10…kk
6. Secrecy vs. integritySecrecy and integrity are orthogonal concernsPossible to have either one without the otherSometimes you might want one without the otherMost often, both are neededEncryption does not (in general) provide any integrityNone of the schemes we have seen so far provide any integrity!
7. kc := (m1m2…mn)kkc1c2…cnm1m2…m’n := (c1c2…c’n)kc1c2…c’n
8. Message authentication code (MAC)A message authentication code is defined by three PPT algorithms (Gen, Mac, Vrfy): Gen: takes as input 1n; outputs k. (Assume |k|≥n.)Mac: takes as input key k and message; outputsa tag t t Mack(m)Vrfy: takes key k, message m, and tag t as input; outputs 1 (“accept”) or 0 (“reject”)For all m and all k output by Gen,Vrfyk(m, Mack(m)) = 1
9. Security?Only one standard definitionThreat model“Adaptive chosen-message attack”Assume the attacker can induce the sender to authenticate messages of the attacker’s choiceSecurity goal“Existential unforgeability”Attacker should be unable to forge a valid tag on any message not previously authenticated by the sender
10. kkVrfyk(m, t) ??m1, t1m, tt1 := Mack(m1)t2 := Mack(m2)…ti := Mack(mi)m2, t2mi, ti…
11. Formal definitionFix A, Define randomized experiment ForgeA,(n):k Gen(1n)A interacts with an oracle Mack(·) ; let M be the set of messages submitted to this oracleA outputs (m, t)A succeeds, and the experiment evaluates to 1, if Vrfyk(m, t)=1 and mM
12. Security for MACs is secure if for all PPT attackers A, there is a negligible function such that Pr[ForgeA,(n) = 1] ≤ (n)
13. Security?Is the definition too strong?We don’t want to make any assumptions about what the sender might authenticateWe don’t want to make any assumptions about what forgeries are “meaningful”A MAC satisfying this definition can be used anywhere integrity is needed
14. Replay attacksNote that replay attacks are not preventedNo stateless mechanism can prevent themReplay attacks are often a significant real-world concernNeed to protect against replay attacks at a higher levelDecision about what to do with a replayed message is application-dependent
15. A fixed-length MAC
16. Intuition?We need a keyed function Mac such that:Given Mack(m1), Mack(m2), …,…it is infeasible to predict the value Mack(m) for any m{m1, …, } Let Mac be a pseudorandom function!
17. ConstructionLet F be a length-preserving pseudorandom function (aka block cipher)Construct the following MAC :Gen: choose a uniform key k for FMack(m): output Fk(m)Vrfyk(m, t): output 1 iff Fk(m)=tTheorem: is a secure MAC
18. Proof by reductionm1m, tif (m is new and t=t*)output 1PRF/randomDm1t1t1mimititimt*……
19. AnalysisWhen D interacts with Fk for uniform k, the view of the adversary is identical to its view in the real MAC experimentPr[DFk outputs 1] = Pr[ForgeAdv, (n) = 1]When D interacts with uniform f, then seeing f(m1), …, f(mi) does not help predict f(m) for any m {m1, …, mi} Pr[Df outputs 1] ≤ 2-n
20. AnalysisSince F is a pseudorandom function,| Pr[DFk outputs 1] - Pr[Df outputs 1] | < negl(n) Pr[ForgeAdv, (n) = 1] = Pr[DFk outputs 1] ≤ 2-n + negl(n)
21. Drawbacks?This only works for fixed-length messagesThis only works for short messagesE.g., AES has a 128-bit block size (shorter than a tweet!)So the previous construction is limited to authenticating short, fixed-length messages
22. Suggestions?Can you construct a secure MAC for variable-length messages from a MAC for fixed-length messages? One natural idea:Mac’k(m1, …, ml) = Mack(m1), …, Mack(ml)Vrfy’k(m1, …, ml, t1, …, tl) = 1 iff Vrfyk(mi, ti) = 1 for all iIs this secure?Other suggestions?
23. A constructionNeed to prevent (at least)Block reorderingTruncation“Mixing-and-matching” blocks from multiple messagesOne solution:Mac’k(m1, …, ml) = r, Mack(r | l | 1 | m1), Mack(r | l | 2 | m2), … Not very efficient – can we do better?
24. (Basic) CBC-MACFkm1Fkm2Fkmlt…
25. CBC-MAC vs. CBC-modeCBC-MAC is deterministic (no IV)MACs do not need to be randomized to be secureVerification is done by re-computing the resultIn CBC-MAC, only the final value is outputBoth are essential for securityExercise: show attacks on variants
26. Security of (basic) CBC-MAC?If F is a pseudorandom function with block length n, then for any fixed l basic CBC-MAC is a secure MAC for messages of length l·nThe sender and receiver must agree on the length parameter l in advanceBasic CBC-MAC is not secure if this is not done!Attacks?