1 / 17

Message Integrity

Message Integrity. CS255 Winter ‘06. Verify tag: V (k, m, tag) = `yes’. ?. Message Integrity. Goal: provide message integrity. No confidentiality. ex: Protecting public binaries on disk. Protecting ads. Requires secret key k unknown to attacker.

markdoyle
Télécharger la présentation

Message Integrity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Message Integrity CS255 Winter ‘06

  2. Verify tag: V(k, m, tag) = `yes’ ? Message Integrity • Goal: provide message integrity. No confidentiality. • ex: Protecting public binaries on disk. Protecting ads. • Requires secret key k unknown to attacker. • Def: MAC I = (S,V) defined over (K,M,T) is a pair of algorithms: - S(k,m) outputs tT , - V(k,m,t) outputs `yes’ or `no’ k k Message m tag Alice Bob Generate tag: tag  S(k, m)

  3. Secure MACs • Attacker’s power: chosen message attack. • for m1,m2,…,mq attacker is given ti S(k,mi) • Attacker’s goal: existential forgery. • produce some new valid message/tag pair (m,t). (m,t)  { (m1,t1) , … , (mq,tq) } • Note: attacker cannot even produce a valid tag for a nonsensical message.

  4. ti S(k,mi) (m,t) mi M b=1 when V(k,m,t) = `yes’ and (m,t)  { (m1,t1) , … , (mq,tq) } b=0 otherwise Secure MACs • For a MAC I=(S,V) and adv. A we define a MAC game: • Def: I=(S,V) is a secure MAC if for all “efficient” A: MAC Adv[A,I] = Pr[Chal. outputs 1] is “negligible.” Chal. Adv. kK b

  5. Any secure PRF is a secure MAC • Let F be a PRF over (K,X,Y). Define a MAC IF = (S,V): • S(k,m) = F(k,m) • V(k,m,t): output `yes’ if t = F(k,m) and `no’ otherwise. • Theorem: If F is a secure PRF and 1/|Y| is negligible then IF is a secure MAC. In particular, for any MAC adversary A attacking IF there exists a PRF adversary B attacking F s.t.: MAC Adv[A, IF]  PRF Adv[B, F] + 1/|Y|  IF is secure as long as |Y| is large, say |Y| = 280 .

  6. Proof Sketch • Intuition: • Adversary A issues chosen message queries m1,m2, … • Gets back F(k,m1) , F(k,m2) , … • Must guess F(k,m) for m  {m1, m2, … } • But F is a PRF, so prob A guesses F(k,m) is 1/|X| • Truncating MACs: • Suppose MAC is a PRF outputting n-bit tags (|Y| = 2n). • It is OK to truncate the MAC output to w<n bits. … as long as 1/2w is still negligible (say w64)

  7. Examples • AES: a MAC for 16-byte messages. • Main question: how to convert Small-MAC into a Big-MAC ? • Two main constructions: • CBC-MAC (banking – ANSI X9.9, X9.19, FIPS 186-3) • HMAC (Internet protocols: SSL, IPsec, SSH, …) • Both convert a small-PRF into a big-PRF.

  8. Raw CBC Construction 1: (E) CBC-MAC m[0] m[1] m[3] m[4]     F(k,) F(k,) F(k,) F(k,) F(k1,) tag Let F be PRF over (K,X,X) Define new PRF FCBC over (K2 , XL , X )

  9. CBC-MAC: Analysis • CBC-MAC Theorem: For any L>0, If F is a secure PRF over (K,X,X) then FCBC is a secure PRF over (K, XL, X). In particular, for a q-query PRF adv. A attacking FCBCthere exists a PRF adversary B s.t.: PRF Adv[A, FCBC]  PRF Adv[B, F] + 2 q2 Lo(1) / |X| • Note: CBC-MAC is secure as long as q << |X|1/2

  10. Why the last encryption step? • Suppose we define a MAC IRAW = (S,V) where S(k,m) = RawCBC(k,m) • Fact: IRAW is easily broken using a chosen msg attack. • Adversary works as follows: • Pick an arbitrary one-block message mM • Request tag for m. Get t = F(k,m) • Output t as MAC forgery for the message (m, tm) • Indeed: RawCBC(k, (m, tm) ) = F(k, t(tm) ) = t • Unimportant note: RawCBC is secure for prefix-free inputs.

  11. CBC-MAC Padding • What is length of m is not multiple of block-size? • Bad idea: pad m with 0’s • Vulnerable to chosen message attack: ask for tag on m and obtain tag on m||0 • ISO: pad with “100000”. Add new block if needed. • The “1” indicates beginning of pad. • CMAC: different padding. Never adds an extra block.

  12. P(k,3) P(k,1) P(k,0) P(k,2) Construction 2: PMAC • CBC-MAC is sequential. PMAC – Parallel MAC. m[0] m[1] m[3] m[4]     F(k,) F(k,) F(k,) F(k,)  F(k1,) tag

  13. PMAC: Analysis • PMAC Theorem: For any L>0, If F is a secure PRF over (K,X,X) then FPMAC is a secure PRF over (K, XL, X). In particular, for a q-query PRF adv. A attacking FPMACthere exists a PRF adversary B s.t.: PRF Adv[A, FPMAC]  PRF Adv[B, F] + 2 q2 L2 / |X| • Note: PMAC is secure as long as qL << |X|1/2 • Note: PMAC is incremental. Homework.

  14. Construction 3: HMAC (Hash-MAC) • Most widely used MAC on the Internet. • … but, we first we discuss hash function.

  15. Collision Resistant Hashing

  16. Collision Resistance • Let H: M T be a hash function. • A collision for H is a pair m0 , m1  M such that: H(m0) = H(m1) and m0  m1 • Def: A function H is collision resistant if for all (uniform) “efficient” algs. A: CR Adv[A,H] = Pr[ A outputs collision for H] is “negligible” • Used to have lots of examples: MD5, SHA1, … • Currently, only: SHA-256, SHA-512, Whirpool 44.5MB/sec, 11.4, 12.1 216MB/s 68

  17. MACs from Collision Resistance • Let I = (S,V) be a MAC for small messages over (K,M,T). Let H: Mbig M • Define: Ibig = (Sbig , Vbig ) over (K, Mbig, T) as: Sbig(k,m) = S(k,H(m)) ; Vbig(k,m,t) = V(k,H(m),t) • Theorem: If I is a secure MAC and H is collision resistant then Ibig is a secure MAC. • So: S(k,m) = AES(k, SHA-256(m)) is a secure MAC.

More Related