180 likes | 382 Vues
CMSC 414 Computer and Network Security Lecture 5. Jonathan Katz. Message integrity. Bob. Alice. MAC functionality (review). m, t. k. k. Vrfy k (m’,t’) ??. t = Mac k (m). Shared key k Sender computes a tag t on the message m using k
E N D
CMSC 414Computer and Network SecurityLecture 5 Jonathan Katz
Bob Alice MAC functionality (review) m, t k k Vrfyk(m’,t’) ?? t = Mack(m) • Shared key k • Sender computes a tag t on the message m using k • Receiver verifies the message/tag pair using k
Defining security • Attack model: • A random key k is chosen • Attacker is allowed to obtain t1 = MACk(m1), …, tn = MACk(mn) for any messages m1, …, mn of its choice • Attacker is successful if it outputs a forgery; i.e., (m, t) with: • m ≠ mi for all i • VrfyK(m, t) = 1 • For any time-bounded adversary, the probability of a successful attack should be small
A MAC for short messages • Let F be a block cipher with n-bit output • To authenticate m using key k, compute t = Fk(m) • Vrfyk(m, t): output 1 iff t = Fk(m) • Why is this secure?
Authenticating longer messages? • Two widely used schemes (among several): • CBC-MAC • HMAC
CBC-MAC • Fix a message length Ln, where the block cipher has n-bit block length • To compute MACk(m1, …, mL) do: • Set t0 = 0n • For i=1 to L, set ti := Fk(ti-1 mi) • Output tL • To verify, re-compute and check… • [Note the similarities to (and differences from) CBC mode encryption]
Security of CBC-MAC? • Secure for fixed-length messages • Insecure (as described) for variable-length messages • Must use secure variants of CBC-MAC if variable-length messages will be authenticated
HMAC • Can be viewed as a version of “hash-and-MAC”, using collision-resistant hashing…
Hash functions • A (cryptographic) hash function H maps arbitrary length inputs to a fixed-length output • Main goal is collision resistance: • Hard to find distinct x, x’ such that H(x) = H(x’) • Other goals • Second pre-image resistance: given x, hard to find x’ ≠ x with H(x) = H(x’) • “Random-looking output”: I.e., “acts like a random oracle” • Controversial; more later
Hash functions in practice • MD5 • 128-bit output • Introduced in 1991…collision attacks found in 2004…several extensions and improvements since then • Still widely deployed(!) • SHA-1 • 160-bit output • No collisions known, but theoretical attacks exist • SHA-2 • 256-/512-bit outputs • Competition to design new hash standard has just begun…
K H H(M) MAC M t Hash-and-MAC • Hash message to short “digest” • MAC the digest • HMAC uses essentially this idea
(Informal) sketch of security? • Say the adversary sees tags on m1, …, mt,, and outputs a valid forgery on m {m1, …, mt} • Two possibilities: • H(m) = H(mi) for some i – collision in H • H(m) {H(m1), …, H(mt)} – forgery in the underlying MAC for short messages
Encryption + integrity • In most settings, confidentiality and integrity are both needed • How to obtain both? • Use ‘encrypt-then-authenticate’ • Other natural possibilities are problematic!
Sharing keys? • Secure sharing of a key is necessary for private-key crypto • How do parties share a key in the first place? • One possibility is a secure physical channel • E.g., in-person meeting • Dedicated (un-tappable) phone line • USB stick via courier service • Another possibility: key exchange protocols • Parties can agree on a key over a public channel • This is amazing! (And began a revolution in crypto…)
Diffie-Hellman key exchange • Before describing the protocol, a brief detour through number theory… • Modular arithmetic, Zp, Zp* • Generators • The discrete logarithm assumption