Message authentication codes (MACs)mdr/teaching/crypto19/crypto6.pdf · Message authentication...
Transcript of Message authentication codes (MACs)mdr/teaching/crypto19/crypto6.pdf · Message authentication...
Message authentication codes (MACs)
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 143
Message authentication codes
A hash function can be used to guarantee the integrity of messages(e.g., the integrity of downloaded software).
However, a hash function alone is insufficient to guarantee theauthenticity of messages (i.e., the fact that a message came from aparticular source). If you merely use a hash function, the attackercan modify message and recompute hash.
To guarantee authenticity, we use a “message authentication code”– a keyed hash function. Assumption: Alice and Bob share key k
Alice sends to Bob: m, MACk(m).
When Bob receives this message, say m, x , he computes MACk(m)and then checks if x = MACk(m).
How to define a MAC function from a hash function?
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 144
How to define MAC from a hash function?
I MACk(m) could be defined as h(k||m). However, this isvulnerable to a “length extension attack”. Given m andh(k ||m), one can construct m′ and h(k ||m′) (for example, letm′ be m||padding ||length(m)||m′′).
Thus, if Alice sent the message m with MACk(m) using thisdefinition, the attacker could modify the message to m′ withMACk(m′).
I The constructions MACk(m) = h(m||k). andMACk(m) = h(k||m||k). have also been found to haveweaknesses.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 145
HMAC
HMACk(m) defined as:
HMACk(m) = h
((k ⊕ opad)‖h
((k ⊕ ipad)‖m
)),
Here, the key k is padded with zeros to the blocksize of the hashfunction, and ipad and opad are constants of that blocksize.The values of ipad and opad are not critical to the security of thealgorithm, but were defined in such a way to have a largeHamming distance from each other and so the inner and outerkeys will have fewer bits in common.This definition can be shown to have some good securityproperties: if you can break HMAC, then you can break theunderlying hash function.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 146
CBC-MAC
CBC-MAC uses CBC mode of operation for block cipher
Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 147
PMAC
Hash functions, HMAC and CBC-MAC are not parallelisablePMAC addresses this issueHave two keys K and LHave function P(K , i) = K ∗ x i in F2n
M1 M2 . . . Mr−1 Mr
P (K, 1) ⊕ P (K, 2) ⊕ P (K, r − 1) ⊕ P (K, r) ⊕
K E K E K E K E
⊕
L E result
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 148
Security of MAC
Let m be a message. Then MACk(n) is sometimes called the tagfor m.
A MAC function is secure if an attacker (not having the key)cannot produce a valid (message, tag)-pair which s/he hasn’t seenbefore.
This is called secure against existential forgery,
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 149
DefinitionThe MAC-game between challenger and attacker is defined asfollows:
I The attacker does some computations and may in the processsupply messages m1, . . . ,mn to the challenger
I The challenger returns t1, . . . , tn to the attacker , which arethe result of creating the MAC for the messages m1, . . . ,mn.
I The attacker does some more computations and then suppliesto the challenger a pair (m, t), which is not equal to any ofthe pairs (m1, t1), . . . , (mn, tn).
I The challenger outputs 1 if t is obtained by creating the MACfor m, otherwise he returns 0.
The attacker wins the MAC-game if the challenger outputs 1.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 150
DefinitionWe call a MAC secure if no attacker can win the MAC-game withnon-negligible probability.
Here, as before, the probability is a function of the key length.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 151
Example
CBC-MAC is not secure (unless you add restrictions).
Suppose the attacker possesses (m, t) and (m′, t ′). Then he canforge a third pair, (m′′, t ′′):
We assume that m′ is more than one block long; saym′ = m′1||m′2|| . . . ||m′p.Set m′′ = m||(m′1 ⊕ t)||m′2|| . . . ||m′p, and t ′′ = t ′.Check that (m′′, t ′′) is a valid message-tag pair.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 152
CBC-MAC result
TheoremAssume CBC-MAC is used only on messages of a fixed length. Ifthe block cipher used is a secure block cipher, then CBC-MAC is asecure MAC.
Another way to achieve this is to prepend the length in themessage.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 153
HMAC and PMAC results
TheoremIf the hash function used is secure, then HMAC is a secure MAC.
TheoremIf the block cipher used is secure, then PMAC is a secure MAC.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 154
Authenticated encryption
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 155
So far: had cryptographic algorithms to achieve
I Confidentiality: use encryption with CTR mode, and randomIV nonce;
I Authenticity: use HMAC
Want both privacy and integrity. There are two ways to achievethis:
I Combining encryption and MAC in appropriate way; or
I Use a new mode, which guarantees both confidentiality andauthenticity.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 156
Several possibilities for combination:
Need two keys, k1 an k2.You can derive the keys from a master key k : e.g., ki = MACk(i).
I Encrypt-then-MAC: encrypt message, then compute MAC ofciphertext: Ek1(m), MACk2(Ek1(m))
I MAC-then-encrypt: First compute MAC, and then encrypt themessage-MAC pair: Ek2(m, MACk1(m))
I Encrypt and MAC: Result is pair of ciphertext and MAC:Ek1(m), MACk2(m).
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 157
Does this provide both privacy and integrity if encryption isIND-CPA secure and MAC cannot be forged?
I Encrypt-then MAC: Yes.Used in IPSec.
I MAC-then-encrypt: Not in general, but works in specificinstances (e.g., if encryption is CBC or CTR mode withrandom IV).Used in SSL with previous ciphertext as new IV – insecure.
I Encrypt and MAC: Not in general, but works in specificinstances.Used in SSH.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 158
DefinitionAn authenticated encryption system is an encryption function AEand a decryption function AD such that AD(k,AE (k ,m)) = m,and AD(k , c) = ⊥ if c is not of the form AE (k,m).
Example: AE ((k1, k2),m) := (Ek1(m), MACk2(Ek1(m)))
AD((k1, k2), (α, β)) :=if MACk2(α) = β then: Dk1(α)else: ⊥
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 159
DefinitionWe define the authenticated encryption game between challengerand attacker as follows:
I The challenger picks an encryption key at random
I The attacker does some computations and may send messagesm1, . . . ,mn to the challenger
I The challenger responds with the ciphertexts c1, . . . , cn.
I The attacker does some more computations and submits aputative ciphertext c to the challenger.
I The challenger outputs 1 if c 6= ci for all i and D(k , c) 6=⊥.
The attacker wins this game if the challenger outputs 1.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 160
DefinitionAn authenticated encryption scheme (E ,D) is secure if thefollowing conditions are satisfied:
I it satisfies IND-CPA
I any attacker wins the authenticated encryption game withonly negligible probability
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 161
TheoremIf (E ,D) is a IND-CPA secure encryption scheme and MAC asecure MAC, the authenticated encryption system obtained by firstencrypting and then applying the MAC is a secure authenticatedencrypted system.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 162
Galois counter mode
Although Encrypt-then-MAC is secure (provided the Encrypt andthe MAC are secure), this combination is not very efficient. Itrequires two passes through the data (once for encrypt, and oncefor MAC).
There are modes of operation that encrypt the data and compute aMAC with a single pass through the data.
I Input: plaintext and key
I Output: ciphertext and authentication tag
Galois Counter Mode (GCM) is such a mode of operation, and hasthe advantage of being patent-free.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 163
Galois counter mode (GCM)
GCM works similarly to CTR mode, in that it encrypts a nonce andcounter value to produce a key stream which is XOR’d with theplain text. Additionally to CTR mode, it computes anauthentication tag on the ciphertext.
GCM works with 128-bit blocks. As well as authenticating theciphertext, it can authenticate additional data which was notrequired to be encrypted. This is called “authenticated encryptionwith associated data (AEAD)”.
In the picture on the next slide, the nonce (or IV) that getsincluded in the encryption and is sent along with the ciphertext ismissing :-(
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 164
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 165
GCM: the authentication tag
To compute the authentication tag, we work within the field GF(2128)whose elements are 128-bit words. The operations ⊕ and ⊗ are definedon those words: ⊕ is bitwise XOR, and ⊗ is computed by considering theargument words as polymomials, and multiplying them modulox128 + x7 + x2 + x + 1.
Let H = EK (0128) be the encryption of 128 zero bits using the encryptionkey, and let A1, . . . ,Am be the blocks of data to be authenticated, andC1, . . . ,Cn the blocks of ciphertext. The last blocks Am and Cn arepadded with zeros to make 128 bits. Compute:
Xi =
0 if i = 0(Xi−1 ⊕ Ai )⊗ H if i = 1, . . . ,m(Xi−1 ⊕ Ci−m)⊗ H if i = m + 1, . . . ,m + n(Xi−1 ⊕ (len(A)||len(C )))⊗ H if i = m + n + 1
The authentication tag is the final of these values, namely Xm+n+1,encrypted as the first block (see diagram).
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 166
Recommendations
I Don’t invent crypto yourself - use standards.I For integrity, use use SHA-2 or SHA-3.I For authenticity, use HMAC.I For confidentiality, use authenticated encryption
E.g., AES in CTR mode, followed by HMACOr, AES in GCM mode.
I Don’t implement crypto yourself - use libraries.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 167