Post on 15-Feb-2016
description
Message Authentication Codes
CSCI 5857: Encoding and Encryption
Outline• Message Authentication Code• Adding a key to an existing hash function
– Prefix/postfix MAC– Nested MAC– HMAC algorithm
• Creating a MAC using a block cipher (CMAC)• Combining confidentiality and information integrity
3
Digests and Networks• Same hash applied to message by sender and recipient
– Sender creates digest and sends along with message– Recipient creates digest from received message, and compares to received
digest– If no match, message has been tampered with en route
M
4
Digests and Networks• Problem: Adversary can easily intercept digest and
change it to match new message– Must assume adversary knows hash function we use!
M
h(M )
5
Message Authentication CodesUsing secret key to create digest
– Creates MAC as h(M, k)– Without k, Darth can’t substitute M and then duplicate the
h(M , k) that recipient will use to check message integrity– k must be large enough to prevent exhaustive search
6
Prefix/Postfix MAC• Key = “extra bits” at beginning or end of message
h(M, k) = h(M | k) or h(k | M)
• Hash algorithm used must have strong “avalanche effect”– Changing few bits at beginning/end changes most bits of MAC even if rest
of message is the same– Better if key “spread out” over message rather than at known fixed
location
Message
7
Nested MAC• Hashing applied multiple times
– Concatenate key with message:k | M
– Run through hash: h(k | M)
– Concatenate key again: k | h(k | M)
– Run through hash again:MAC = h(k | h(k | M))
• Changes in key have greater avalanche effect on final MAC
8
Hashed MAC (HMAC)• 2-stage nested MAC
• Different “round keys” generated for each hash– Stage 1: k1 = k ipad– Stage 2: k2 = k opad
9
Hashed MAC (HMAC)
• Stage 1: k1 = k ipad– Key k padded out to b bits with extra 0’s– ipad = 00110110 00110110 … repeated to b bits
• Stage : k2 = k opad– opad = 01011100 01011100 … repeated to b bits
• Key idea:ipad and opad differ in half of possible bits k1 and k2 will differ very greatly
10
Chained MAC (CMAC)• “Hashless” MAC
– Uses an encryption algorithm (DES, AES, etc.) to generate MAC
11
Chained MAC (CMAC)• Based on same idea as cipher block chaining
– Message broken into N blocks– Each block fed into an encryption algorithm with key– Result XOR’d with next block before encryption to make final MAC
depend on all blocks• Compresses result to size of single block (unlike encryption)
12
Chained MAC (CMAC)
• Final stage uses “additional key”– Derived from cipher key but hides relationship to key:
• Encrypting all 0’s • Multiplying by x or x2 over GF(2n)
13
Chained MAC (CMAC)• Additional key XOR’d
with final block• Crucial to use different
key for last XOR– Avoids differential
cryptanalysis of 2 messages with same beginning
• MAC = leftmost n bits of result
14
Chained MAC (CMAC)• Advantages:
– Can use existing encryption functions– Encryption functions have properties that resist preimage
and collision attacks• Ciphertext designed to appear like “random noise” – good
approximation of random oracle model• Most exhibit strong avalanche effect – minor change in message
gives great change in resulting MAC
• Disadvantage:– Encryption algorithms (particularly when chained) can be
much slower than hash algorithms
15
Message Integrity and Confidentiality
• Can encrypt and hash message with different keys– Hash plaintext before encryption
– Hash ciphertext after encryption• Allows authentication to take place without decryption
(usually much faster)
h
h
h
h
h
h
h