Message Integrity - PowerPoint PPT Presentation

About This Presentation
Title:

Message Integrity

Description:

Request tag for m. Get t = F(k,m) Output t as MAC forgery for the ... ask for tag on m and obtain tag on m||0. ISO: pad with '1000 00'. Add new block if needed. ... – PowerPoint PPT presentation

Number of Views:167
Avg rating:3.0/5.0
Slides: 18
Provided by: cryptoS
Category:

less

Transcript and Presenter's Notes

Title: Message Integrity


1
Message Integrity
  • CS255 Winter 06

2
Message Integrity
  • Goal provide message integrity. No
    confidentiality.
  • ex Protecting public binaries on disk.
    Protecting ads.
  • Requires secret key k unknown to attacker.
  • Def MAC I (S,V) defined over (K,M,T) is
    a pair of algorithms - S(k,m) outputs t?T ,
    - V(k,m,t) outputs yes or no

k
k
Message m
tag
Alice
Bob
Generate tag tag ? S(k, m)
3
Secure MACs
  • Attackers power chosen message attack.
  • for m1,m2,,mq attacker is given ti ?
    S(k,mi)
  • Attackers goal existential forgery.
  • produce some new valid message/tag pair
    (m,t).
  • (m,t) ? (m1,t1) , , (mq,tq)
  • Note attacker cannot even produce a valid tag
    for a nonsensical message.

4
Secure MACs
  • For a MAC I(S,V) and adv. A we define a MAC
    game
  • Def I(S,V) is a secure MAC if for all
    efficient A MAC AdvA,I
    PrChal. outputs 1
  • is negligible.

Chal.
Adv.
k?K
b
5
Any secure PRF is a secure MAC
  • Let F be a PRF over (K,X,Y). Define a MAC
    IF (S,V)
  • S(k,m) F(k,m)
  • V(k,m,t) output yes if t F(k,m) and no
    otherwise.
  • Theorem If F is a secure PRF and 1/Y is
    negligible then IF is a secure MAC.
  • In particular, for any MAC adversary A
    attacking IF there exists a PRF adversary B
    attacking F s.t.
  • MAC AdvA, IF ? PRF AdvB, F 1/Y
  • ? IF is secure as long as Y is large, say
    Y 280 .

6
Proof Sketch
  • Intuition
  • Adversary A issues chosen message queries m1,m2,
  • Gets back F(k,m1) , F(k,m2) ,
  • Must guess F(k,m) for m ? m1, m2,
  • But F is a PRF, so prob A guesses F(k,m) is
    1/X
  • Truncating MACs
  • Suppose MAC is a PRF outputting n-bit tags (Y
    2n).
  • It is OK to truncate the MAC output to wltn bits.
  • as long as 1/2w is still negligible
    (say w?64)

7
Examples
  • AES a MAC for 16-byte messages.
  • Main question how to convert Small-MAC into
    a Big-MAC ?
  • Two main constructions
  • CBC-MAC (banking ANSI X9.9, X9.19, FIPS
    186-3)
  • HMAC (Internet protocols SSL, IPsec, SSH, )
  • Both convert a small-PRF into a big-PRF.

8
Construction 1 (E) CBC-MAC

m0
m1
m3
m4
?
?
?
?
F(k,?)
F(k,?)
F(k,?)
F(k,?)
F(k1,?)
tag
Let F be PRF over (K,X,X) Define new PRF FCBC
over (K2 , XL , X )
9
CBC-MAC Analysis
  • CBC-MAC Theorem For any Lgt0, If F is a
    secure PRF over (K,X,X) then FCBC is a secure
    PRF over (K, X?L, X).
  • In particular, for a q-query PRF adv. A
    attacking FCBC there exists a PRF adversary B
    s.t.
  • PRF AdvA, FCBC ? PRF AdvB, F 2 q2
    Lo(1) / X
  • Note CBC-MAC is secure as long as q ltlt
    X1/2

10
Why the last encryption step?
  • Suppose we define a MAC IRAW (S,V)
    where
  • S(k,m) RawCBC(k,m)
  • Fact IRAW is easily broken using a chosen
    msg attack.
  • Adversary works as follows
  • Pick an arbitrary one-block message m?M
  • Request tag for m. Get t F(k,m)
  • Output t as MAC forgery for the message (m,
    t?m)
  • Indeed RawCBC(k, (m, t?m) ) F(k, t?(t?m) )
    t
  • Unimportant note RawCBC is secure for
    prefix-free inputs.

11
CBC-MAC Padding
  • What is length of m is not multiple of
    block-size?
  • Bad idea pad m with 0s
  • Vulnerable to chosen message attack
  • ask for tag on m and obtain tag on m0
  • ISO pad with 1000?00. Add new block if
    needed.
  • The 1 indicates beginning of pad.
  • CMAC different padding. Never adds an extra
    block.

12
Construction 2 PMAC
  • CBC-MAC is sequential. PMAC Parallel MAC.

m0
m1
m3
m4
?
?
?
?
F(k,?)
F(k,?)
F(k,?)
F(k,?)
?
F(k1,?)
tag
13
PMAC Analysis
  • PMAC Theorem For any Lgt0, If F is a secure
    PRF over (K,X,X) then FPMAC is a secure PRF
    over (K, X?L, X).
  • In particular, for a q-query PRF adv. A
    attacking FPMAC there exists a PRF adversary B
    s.t.
  • PRF AdvA, FPMAC ? PRF AdvB, F 2 q2
    L2 / X
  • Note PMAC is secure as long as qL ltlt
    X1/2
  • Note PMAC is incremental. Homework.

14
Construction 3 HMAC (Hash-MAC)
  • Most widely used MAC on the Internet.
  • but, we first we discuss hash function.

15
Collision Resistant Hashing
16
Collision Resistance
  • Let H M ?T be a hash function.
  • A collision for H is a pair m0 , m1 ? M such
    that
  • H(m0) H(m1) and m0 ? m1
  • Def A function H is collision resistant if
    for all (uniform) efficient algs. A
  • CR AdvA,H Pr A outputs collision for
    H
  • is negligible
  • Used to have lots of examples MD5, SHA1,
  • Currently, only SHA-256, SHA-512,
    Whirpool
  • 44.5MB/sec, 11.4, 12.1

216MB/s 68
17
MACs from Collision Resistance
  • Let I (S,V) be a MAC for small messages over
    (K,M,T).
  • Let H Mbig ? M
  • Define Ibig (Sbig , Vbig ) over (K,
    Mbig, T) as
  • Sbig(k,m) S(k,H(m)) Vbig(k,m,t)
    V(k,H(m),t)
  • Theorem If I is a secure MAC and H is
    collision resistant then Ibig is a secure
    MAC.
  • So S(k,m) AES(k, SHA-256(m)) is a secure
    MAC.
Write a Comment
User Comments (0)
About PowerShow.com