Message authentication codes (MACs)mdr/teaching/crypto19/crypto6.pdf · Message authentication...

Message authentication codes (MACs)

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 143

Message authentication codes

A hash function can be used to guarantee the integrity of messages(e.g., the integrity of downloaded software).

However, a hash function alone is insufficient to guarantee theauthenticity of messages (i.e., the fact that a message came from aparticular source). If you merely use a hash function, the attackercan modify message and recompute hash.

To guarantee authenticity, we use a “message authentication code”– a keyed hash function. Assumption: Alice and Bob share key k

Alice sends to Bob: m, MACk(m).

When Bob receives this message, say m, x , he computes MACk(m)and then checks if x = MACk(m).

How to define a MAC function from a hash function?


How to define MAC from a hash function?

I MACk(m) could be defined as h(k||m). However, this isvulnerable to a “length extension attack”. Given m andh(k ||m), one can construct m′ and h(k ||m′) (for example, letm′ be m||padding ||length(m)||m′′).

Thus, if Alice sent the message m with MACk(m) using thisdefinition, the attacker could modify the message to m′ withMACk(m′).

I The constructions MACk(m) = h(m||k). andMACk(m) = h(k||m||k). have also been found to haveweaknesses.


HMAC

HMACk(m) defined as:

HMACk(m) = h

((k ⊕ opad)‖h

((k ⊕ ipad)‖m

)),

Here, the key k is padded with zeros to the blocksize of the hashfunction, and ipad and opad are constants of that blocksize.The values of ipad and opad are not critical to the security of thealgorithm, but were defined in such a way to have a largeHamming distance from each other and so the inner and outerkeys will have fewer bits in common.This definition can be shown to have some good securityproperties: if you can break HMAC, then you can break theunderlying hash function.


CBC-MAC

CBC-MAC uses CBC mode of operation for block cipher

Source: Wikipedia


PMAC

Hash functions, HMAC and CBC-MAC are not parallelisablePMAC addresses this issueHave two keys K and LHave function P(K , i) = K ∗ x i in F2n

M1 M2 . . . Mr−1 Mr

P (K, 1) ⊕ P (K, 2) ⊕ P (K, r − 1) ⊕ P (K, r) ⊕

K E K E K E K E

⊕

L E result


Security of MAC

Let m be a message. Then MACk(n) is sometimes called the tagfor m.

A MAC function is secure if an attacker (not having the key)cannot produce a valid (message, tag)-pair which s/he hasn’t seenbefore.

This is called secure against existential forgery,


DefinitionThe MAC-game between challenger and attacker is defined asfollows:

I The attacker does some computations and may in the processsupply messages m1, . . . ,mn to the challenger

I The challenger returns t1, . . . , tn to the attacker , which arethe result of creating the MAC for the messages m1, . . . ,mn.

I The attacker does some more computations and then suppliesto the challenger a pair (m, t), which is not equal to any ofthe pairs (m1, t1), . . . , (mn, tn).

I The challenger outputs 1 if t is obtained by creating the MACfor m, otherwise he returns 0.

The attacker wins the MAC-game if the challenger outputs 1.


DefinitionWe call a MAC secure if no attacker can win the MAC-game withnon-negligible probability.

Here, as before, the probability is a function of the key length.


Example

CBC-MAC is not secure (unless you add restrictions).

Suppose the attacker possesses (m, t) and (m′, t ′). Then he canforge a third pair, (m′′, t ′′):

We assume that m′ is more than one block long; saym′ = m′1||m′2|| . . . ||m′p.Set m′′ = m||(m′1 ⊕ t)||m′2|| . . . ||m′p, and t ′′ = t ′.Check that (m′′, t ′′) is a valid message-tag pair.


CBC-MAC result

TheoremAssume CBC-MAC is used only on messages of a fixed length. Ifthe block cipher used is a secure block cipher, then CBC-MAC is asecure MAC.

Another way to achieve this is to prepend the length in themessage.


HMAC and PMAC results

TheoremIf the hash function used is secure, then HMAC is a secure MAC.

TheoremIf the block cipher used is secure, then PMAC is a secure MAC.


Authenticated encryption


So far: had cryptographic algorithms to achieve

I Confidentiality: use encryption with CTR mode, and randomIV nonce;

I Authenticity: use HMAC

Want both privacy and integrity. There are two ways to achievethis:

I Combining encryption and MAC in appropriate way; or

I Use a new mode, which guarantees both confidentiality andauthenticity.


Several possibilities for combination:

Need two keys, k1 an k2.You can derive the keys from a master key k : e.g., ki = MACk(i).

I Encrypt-then-MAC: encrypt message, then compute MAC ofciphertext: Ek1(m), MACk2(Ek1(m))

I MAC-then-encrypt: First compute MAC, and then encrypt themessage-MAC pair: Ek2(m, MACk1(m))

I Encrypt and MAC: Result is pair of ciphertext and MAC:Ek1(m), MACk2(m).


Does this provide both privacy and integrity if encryption isIND-CPA secure and MAC cannot be forged?

I Encrypt-then MAC: Yes.Used in IPSec.

I MAC-then-encrypt: Not in general, but works in specificinstances (e.g., if encryption is CBC or CTR mode withrandom IV).Used in SSL with previous ciphertext as new IV – insecure.

I Encrypt and MAC: Not in general, but works in specificinstances.Used in SSH.


DefinitionAn authenticated encryption system is an encryption function AEand a decryption function AD such that AD(k,AE (k ,m)) = m,and AD(k , c) = ⊥ if c is not of the form AE (k,m).

Example: AE ((k1, k2),m) := (Ek1(m), MACk2(Ek1(m)))

AD((k1, k2), (α, β)) :=if MACk2(α) = β then: Dk1(α)else: ⊥


DefinitionWe define the authenticated encryption game between challengerand attacker as follows:

I The challenger picks an encryption key at random

I The attacker does some computations and may send messagesm1, . . . ,mn to the challenger

I The challenger responds with the ciphertexts c1, . . . , cn.

I The attacker does some more computations and submits aputative ciphertext c to the challenger.

I The challenger outputs 1 if c 6= ci for all i and D(k , c) 6=⊥.

The attacker wins this game if the challenger outputs 1.


DefinitionAn authenticated encryption scheme (E ,D) is secure if thefollowing conditions are satisfied:

I it satisfies IND-CPA

I any attacker wins the authenticated encryption game withonly negligible probability


TheoremIf (E ,D) is a IND-CPA secure encryption scheme and MAC asecure MAC, the authenticated encryption system obtained by firstencrypting and then applying the MAC is a secure authenticatedencrypted system.


Galois counter mode

Although Encrypt-then-MAC is secure (provided the Encrypt andthe MAC are secure), this combination is not very efficient. Itrequires two passes through the data (once for encrypt, and oncefor MAC).

There are modes of operation that encrypt the data and compute aMAC with a single pass through the data.

I Input: plaintext and key

I Output: ciphertext and authentication tag

Galois Counter Mode (GCM) is such a mode of operation, and hasthe advantage of being patent-free.


Galois counter mode (GCM)

GCM works similarly to CTR mode, in that it encrypts a nonce andcounter value to produce a key stream which is XOR’d with theplain text. Additionally to CTR mode, it computes anauthentication tag on the ciphertext.

GCM works with 128-bit blocks. As well as authenticating theciphertext, it can authenticate additional data which was notrequired to be encrypted. This is called “authenticated encryptionwith associated data (AEAD)”.

In the picture on the next slide, the nonce (or IV) that getsincluded in the encryption and is sent along with the ciphertext ismissing :-(


GCM: the authentication tag

To compute the authentication tag, we work within the field GF(2128)whose elements are 128-bit words. The operations ⊕ and ⊗ are definedon those words: ⊕ is bitwise XOR, and ⊗ is computed by considering theargument words as polymomials, and multiplying them modulox128 + x7 + x2 + x + 1.

Let H = EK (0128) be the encryption of 128 zero bits using the encryptionkey, and let A1, . . . ,Am be the blocks of data to be authenticated, andC1, . . . ,Cn the blocks of ciphertext. The last blocks Am and Cn arepadded with zeros to make 128 bits. Compute:

Xi =

0 if i = 0(Xi−1 ⊕ Ai )⊗ H if i = 1, . . . ,m(Xi−1 ⊕ Ci−m)⊗ H if i = m + 1, . . . ,m + n(Xi−1 ⊕ (len(A)||len(C )))⊗ H if i = m + n + 1

The authentication tag is the final of these values, namely Xm+n+1,encrypted as the first block (see diagram).


Recommendations

I Don’t invent crypto yourself - use standards.I For integrity, use use SHA-2 or SHA-3.I For authenticity, use HMAC.I For confidentiality, use authenticated encryption

E.g., AES in CTR mode, followed by HMACOr, AES in GCM mode.

I Don’t implement crypto yourself - use libraries.


Message authentication codes (MACs)mdr/teaching/crypto19/crypto6.pdf · Message authentication...

Documents

Transcript of Message authentication codes (MACs)mdr/teaching/crypto19/crypto6.pdf · Message authentication...