Your SlideShare is downloading. ×
0
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Lecture 2   Message Authentication
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Lecture 2 Message Authentication

824

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
824
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
47
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Lecture 2Message Authentication<br />StefanDziembowski<br />UniversityofRome<br />La Sapienza<br />
  • 2. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />a construction of MACs from hash functions<br />the random oracle model <br />
  • 3. Secure communication<br />1<br />2<br />3<br />4<br />
  • 4. 4<br />Message Authentication<br />Integrity:<br />M<br />Alice<br />Bob<br />interferes with the transmission<br />(modifies the message, or inserts a new one)<br />How can Bob be sure that M really comes from Alice?<br />
  • 5. 5<br />Sometimes: more importantthansecrecy!<br />transfer 1000 $ to Bob<br />transfer 1000 $ to Eve<br />Alice<br />Bank<br />Of course: usually we want both secrecy and integrity.<br />
  • 6. 6<br />Does encryption guarantee message integrity?<br />Idea:<br />Alice encrypts m and sends c=Enc(k,m) to Bob.<br />Bob computes Dec(k,m), and if it “makes sense” accepts it.<br />Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext.<br />It does not work!<br />Example: one-time pad.<br />transfer 1000 $ to Bob<br />plaintext M<br />If Eve knows M and C then she can calculate K and produce a ciphertext of any other message <br />key K<br />xor<br />ciphertext C<br />
  • 7. 7<br />Message authentication<br />verifies if<br />t=Tagk(m)<br />(m, t=Tagk(m))<br />m<br />Alice<br />Bob<br />k<br />k<br />Eve can see (m, t=Tagk(m))<br />She should not be able to compute a valid tag t’ on any other message m’.<br />
  • 8. 8<br />Message authentication – multiple messages<br />(m1, t1 =Tagk(m1))<br />m1<br />(m2, t2=Tagk(m2))<br />m2<br />. . .<br />. . .<br />Alice<br />Bob<br />(mw, tw=Tagk(mw))<br />mt<br />k<br />k<br />Eve should not be able to compute a valid tag t’ on any other message m’.<br />
  • 9. 9<br />Message Authentication Codes – the idea<br />(m, t=Tagk(m))<br />m є {0,1}*<br />Vrfyk(m,t)є {yes,no}<br />Alice<br />Bob<br />k<br />k<br />k ischosenrandomlyfrom some set K<br />
  • 10. A mathematical view<br />K– key space<br />M– plaintext space<br />T - set oftags<br />A MAC schemeis a pair (Tag, Vrfy), where<br /><ul><li>Tag : K × M → Tis an taggingalgorithm,
  • 11. Vrfy:K× M × T→ {yes, no}is a verificationalgorithm.</li></ul>We will sometimes write Tagk(m) and Vrfyk(m,t) instead of Tag(k,m) and Vrfy(k,m,t).<br />Correctness<br />it shouldalways holds that:Vrfyk(m,Tagk(m)) = yes.<br />
  • 12. Conventions<br />If Vrfyk(m,t) = yesthen we say that tis a valid tag on the message m.<br />If Tag is deterministic, then Vrfyjust computes Tagand compares the result.<br />In this case we do not need to define Vrfyexplicitly.<br />
  • 13. 12<br />How to define security?<br />We need to specify:<br />how the messages m1,...,mware chosen,<br />what is the goal of the adversary.<br />Good tradition:be as pessimistic as possible!<br />Therefore we assume that<br />The adversary is allowed to chose m1,...,mw.<br />The goal of the adversary is to produce a valid tag onsome m’ such that m’ ≠m1,...,mw.<br />
  • 14. 13<br />security parameter<br />1n<br />selects random ak Є{0,1}n<br />m1<br />adversary<br />(m1, t=Tagk(m1))<br />oracle<br />. . .<br />mw<br />(mw, t=Tagk(mw))<br />We say that the adversary breaks the MAC scheme at the end she outputs (m’,t’) such that<br />Vrfy(m’,t’) = yes<br />and<br /> m’ ≠m1,...,mw<br />
  • 15. 14<br />The security definition<br />We say that (Tag,Vrfy) is secure if<br />A<br />P(A breaks it) is negligible (inn)<br />polynomial-timeadversary A<br />
  • 16. 15<br />Aren’t we too paranoid?<br />Maybe it would be enough to require that: <br />the adversary succeds only if he forges a message that “makes sense”.<br />(e.g.: forging a message that consists of random noise should not count)<br />Bad idea:<br />hard to define,<br />is application-dependent.<br />
  • 17. 16<br />(m, t)<br />(m, t)<br />(m, t)<br />Warning: MACs do not offer protection against the “replay attacks”.<br />(m, t)<br />Alice<br />Bob<br />Since Vrfyhas no state (or “memory”) there is no way to detect that (m,t) is not fresh!<br />. . .<br />This problem has to be solved by the higher-level application<br />(methods: time-stamping, sequence numbers...).<br />
  • 18. Authentication and Encryption<br />Options:<br />Encrypt-and-authenticate:<br />c := Enck1(m) and t:= Tagk2 (m), send (c,t)<br />Authenticate-then-encrypt:<br />t:= Tagk2 (m) and c := Enck1(m||t), send (c,t)<br />Encrypt-then-authenticate:<br />c := Enck1(m) and t:= Tagk2 (c), send (c,t)<br />c := Enck1(m)<br />c := Enck1(m ||t)<br />m<br />t:= Tagk2 (m)<br />m<br />t:= Tagk2 (m)<br />wrong<br />better<br />the best<br />t:= Tagk2 (c)<br />m<br />c := Enck1(m)<br />
  • 19. 18<br />Constructing a MAC<br />There exist MACs that are secure even if the adversary is infinitely-powerful.These constructions are not practical.<br />MACs can be constructed from the block-ciphers. We will now discuss to constructions:<br />simple (and not practical),<br />a little bit more complicated (and practical) – a CBC-MAC<br />MACs can also be constructed from the hash functions (NMAC, HMAC). <br />
  • 20. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs from block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />concrete functions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  • 21. A simple construction from a block cipher<br />Let <br />F : {0,1}n× {0,1}n -&gt; {0,1}n<br />be a block cipher. <br />We can now define a MAC scheme that works only for messages m Є{0,1}n as follows:<br />Tag(k,m) = F(k,m)<br />It can be proven that it is a secure MAC.<br />How to generalize it to longer messages?<br />F(k,m)<br />Fk<br />k<br />m<br />20<br />
  • 22. 21<br />Idea 1<br /><ul><li> divide the message in blocksm1,...,md
  • 23. and authenticateeach block separately</li></ul>F(k,m1)<br />F(k,md)<br />Fk<br />Fk<br />. . .<br />m1<br />md<br />Thisdoesn’t work!<br />
  • 24. 22<br />What goes wrong?<br />m:<br />t = Tagk(m):<br />perm<br />m’ = perm(m):<br />t’ = perm(t):<br />Then t’ is a valid tag on m’. <br />
  • 25. 23<br />Idea 2<br />Add a counter to each block.<br />F(k,x1)<br />F(k,xd)<br />Fk<br />Fk<br />. . .<br />m1<br />md<br />1<br />d<br />x1<br />xd<br />This doesn’t work either!<br />
  • 26. 24<br />mi<br />i<br />xi<br />m:<br />t = Tagk(m):<br />m’ = a prefix of m:<br />t’ = a prefix of t:<br />Then t’ is a valid tag on m’. <br />
  • 27. 25<br />Idea 3<br />Addl := |m|toeach block<br />F(k,x1)<br />F(k,xd)<br />Fk<br />Fk<br />. . .<br />m1 <br />md <br />1<br />d<br />l<br />l<br />x1<br />xd<br />This doesn’t work either!<br />
  • 28. 26<br />m1 <br />1<br />l<br />xi<br />What goes wrong? <br />m:<br />m’:<br />t = Tagk(m):<br />t’ = Tagk(m’):<br />m’’= first half from m|| second half from m’<br />t’’ = first half from t || second half from t’<br />Then t’’ is a valid tag on m’’.<br />
  • 29. 27<br />Idea 4<br />Add a freshrandomvaluetoeach block!<br />F(k,x1)<br />F(k,xd)<br />Fk<br />Fk<br />. . .<br />md<br />d<br />l<br />r<br />md<br />d<br />l<br />r<br />x1<br />xd<br />Thisworks!<br />
  • 30. 28<br />tagk(m)<br />F(k,x1)<br />F(k,x2)<br />F(k,xd)<br />r<br />Fk<br />Fk<br />Fk<br />. . . <br />. . . <br />1<br />l<br />r<br />m2<br />2<br />r<br />md<br />d<br />r<br />m1<br />l<br />l<br />x2<br />x1<br />xd<br />. . . <br />r is chosen randomly<br />m1<br />m2<br />md<br />m<br />000<br />n – block length<br />l<br />|mi| = n/4<br />pad with zeroes if needed<br />
  • 31. 29<br />This construction can be proven secure<br />Theorem<br />Assuming that<br />F : {0,1}n× {0,1}n -&gt; {0,1}n is a pseudorandompermutation<br />the construction from the previous slide is a secure MAC.<br />Proof idea:<br />Suppose it is not a secure MAC. <br />Let A be an adversary that breaks it with a non-negligible probability.<br />We construct a distinguisher D that distinguishes F from a random permutation.<br />
  • 32. A new member of “Minicrypt”<br />one-way functions<br />exist<br />this can be proven<br />this we already knew<br />computationally-secure<br />MACs exist<br />cryptographic PRGs<br />exist<br />this we have just proven<br />
  • 33. 31<br />Problem:<br />The tag is 4 times longer than the message...<br />This construction is not practical<br />We can do much better!<br />
  • 34. 32<br />CBC-MAC<br />F : {0,1}n× {0,1}n -&gt; {0,1}n- a block cipher<br />tagk(m)<br />Fk<br />Fk<br />Fk<br />Fk<br />Fk<br />. . . <br />m1<br />m2<br />m3<br />md<br />|m|<br />m<br />0000<br />pad with zeroes if needed<br />Other variants exist!<br />
  • 35. 33<br />tagk(m)<br />Fk<br />Fk<br />Fk<br />Fk<br />Fk<br />. . . <br />m1<br />m2<br />m3<br />md<br />|m|<br />Why is this needed?<br />Suppose we donot prepend |m|...<br />
  • 36. 34<br />t1=tagk(m1)<br />t2=tagk(m2)<br />the adversarychooses:<br />Fk<br />Fk<br />m1<br />m2<br />t’= tagk(m’)<br />t1<br />t’ = t2<br />Fk<br />Fk<br />now she can compute:<br />m2<br />m1<br />m2xor t1<br />m’<br />
  • 37. 35<br />Some practictioners don’t like the CBC-MAC<br />We don’t want to authenticate using the block ciphers!<br />What do you want to use instead?<br />Hash functions!<br />Why?<br />Because:<br />they are more efficient,<br />they are notprotectedby the export regulations.<br />
  • 38. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs:<br />from pairwise independent functions<br />from block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />concrete functions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  • 39. 37<br />Another idea for authenticating long messages<br />Fk(h(m))<br />a block cipher<br />Fk<br />k<br />h(m)<br />a “hashfunction” h<br />long m<br />By the way: a similar method is used in the public-key cryptography (it is called “hash-and-sign”).<br />
  • 40. How to formalize it?<br />We need to define what is a “hash function”.<br />The basic property that we require is:<br />“collision resistance”<br />
  • 41. 39<br />Collision-resistant hash functions<br />short H(m)<br />a hash function<br />H : {0,1}* -&gt; {0,1}L<br />longm<br />collision-resistance<br />a “collision”<br />Requirement: itshouldbe hard tofind a pair(m,m’)suchthat<br />H(m) =H(m’)<br />
  • 42. 40<br />Collisions always exist<br />domain<br />m<br />range<br />m’<br />Since the domain islargerthan the range the collisionshavetoexist.<br />
  • 43. 41<br />“Practical definition”<br />H is a collision-resistanthashfunctionifitis “practicallyimpossibletofindcollisions in H”.<br />Popularhashfuncitons:<br /><ul><li>MD5 (nowconsideredbroken)
  • 44. SHA1
  • 45. ...</li></li></ul><li>42<br />How to formally define “collision resitance”?<br />Idea<br />Saysomethinglike: His a collision-resistanthashfunctionif<br />A<br />P(A finds a collision in H) is small<br />efficientadversary A<br />Problem<br />For a fixedHtherealwaysexist a constant-timealgorithmthat “finds a collision in H” in constanttime.<br />Itmaybe hard tofindsuchanalgorithm, butitalwaysexists!<br />
  • 46. 43<br />Solution<br />Whenwe prove theoremswewillalwaysconsider<br />familiesofhashfunctions<br />indexedby a key s<br />{Hs} s є keys<br />
  • 47. 44<br />informal description:<br />“knows H”<br />a protocol<br />H<br />H<br />H<br />formal model:<br />sis chosen<br />randomly<br />a protocol<br />s<br />Hs<br />Hs<br />Hs<br />
  • 48. 45<br />informal description:<br />“knows H”<br />a protocol<br />H<br />H<br />H<br />H<br />real-life implementation (example):<br />“knows SHA1”<br />a protocol<br />SHA1<br />SHA1<br />SHA1<br />
  • 49. 46<br />Hash functions – the functional definition<br />A hashfunctionis a probabilisticpolynomial-time algorithmH such that:<br />H takes as input a key sє {0,1}nand a message x є {0,1}*and outputs a string<br />Hs(x)є {0,1}L(n)<br /> where L(n)is some fixed function.<br />
  • 50. 47<br />Hashfunctions – the security definition [1/2]<br />1n<br />selects a random<br /> s є {0,1}n<br />s<br />outputs (m,m’)<br />WesaythatadversaryAbreaks the functionHifHs(m) = Hs(m’).<br />
  • 51. 48<br />Hash functions – the security definition [2/2]<br />His a collision-resistanthashfunctionif<br />A<br />P(A breaks H)is negligible<br />polynomial-timeadversary A<br />
  • 52. 49<br />How to formalize our idea?<br />Fk(h(m))<br />a block cipher<br />Fk<br />k<br />h(m)<br />a “hashfunction” h<br />long m<br />
  • 53. Authentication scheme - formally<br />A key for the MAC is a pair:<br />(s,k)<br />a key for the hash function H<br />a key for the PRP F<br />Tag((k,s),m) = Fk(Hs(m))<br />Theorem. If H and F are secure then Tag is secure.<br />This is proven as follows. <br />Suppose we have an adversary that breaks Tag. Then we can construct:<br />a distinguisher for F<br />an adversary for H<br />or<br />simulates <br />simulates <br />
  • 54. Do collision-resilient hash functions belong to minicrypt?<br />collision-resilient hash functions exist<br />?<br />open problem<br />easy exercise<br />one-way functions<br />exist<br />[D. Simon: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? 1998]:<br />there is no “black-box reduction”.<br />
  • 55. 52<br />A common method for constructing hash functions<br />Construct a “fixed-input-length” collision-resistanthashfunctionCallit: a collision-resistantcompressionfunction.<br />Useittoconstruct a hashfunction. <br />L<br />h(m)<br />h : {0,1}2·L-&gt; {0,1}L<br />m<br />2·L<br />
  • 56. 53<br />h<br />h<br />h<br />An idea<br />pad with zeroes<br />if needed<br />t<br />m<br />0000<br />. . .<br />m1<br />m2<br />mB<br />miє {0,1}L<br />. . .<br />IV<br />H(m)<br />can be arbitrary<br />This doesn’t work...<br />
  • 57. 54<br />Why is it wrong?<br />t<br />m<br />0000<br />. . .<br />m1<br />m2<br />mB<br />If we set m’ = m || 0000 then H(m’) = H(m).<br />Solution: add a block encoding “t”.<br />t<br />m’<br />0000<br />. . .<br />m’1<br />m’2<br />m’B<br />m’B+1 := t<br />
  • 58. 55<br />Merkle-Damgård transform<br />h<br />h<br />h<br />h<br />given h : {0,1}2L-&gt; {0,1}Lwe construct H : {0,1}*-&gt; {0,1}L<br />doesn’t need to be know in advance<br />(nice!)<br />t<br />m<br />0000<br />m1<br />m2<br />mB<br />mB+1 := t<br />miє {0,1} L<br />. . .<br />IV<br />H(m)<br />
  • 59. 56<br />This construction is secure<br />Wewouldliketo prove the following:<br />Theorem<br />If<br />h : {0,1}2L-&gt; {0,1}L<br />is a collision-resistant compression function<br />then <br /> H : {0,1}*-&gt; {0,1}L<br />is a collision-resistant hash function.<br />But wait….<br />It doesn’t make sense…<br />
  • 60. What to do?<br />To be formal, we would need to consider <br />families of functionsh and Hindexed by key s<br />Let’s stay on the informal level and “argue” that:<br />“if one can find a collision in H then one can find a collision in h”<br />
  • 61. 58<br />abreaksh<br />(m,m’)<br />AbreaksH<br />a collision in H<br />outputsa collision(x,y) in h<br />
  • 62. 59<br />How to compute a collision (x,y) in h from a collision (m,m’) in H?<br />Weconsidertwooptions:<br />|m| = |m’|<br />|m| ≠ |m’|<br />
  • 63. 60<br />Option 1: |m| = |m’|<br />t<br />m<br />0000<br />m1<br />m2<br />mB<br />mB+1 := t<br />t<br />m<br />0000<br />m1<br />m2<br />mB<br />mB+1 := t<br />
  • 64. |m| = |m’|<br />h<br />h<br />h<br />h<br />Some notation:<br />m<br />0000<br />m1<br />m2<br />mB<br />mB+1 := t<br />. . .<br />IV<br />zB+1<br />z2<br />z1<br />z3<br />zB<br />H(m)<br />61<br />
  • 65. 62<br />|m| = |m’|<br />h<br />h<br />h<br />h<br />For m’:<br />m’<br />0000<br />m’1<br />m’2<br />m’B<br />m’B+1 := t<br />. . .<br />IV<br />z’2<br />z’1<br />z’3<br />z’B+1<br />H(m’)<br />z’B<br />
  • 66. 63<br />equal<br />zB+2=H(m)<br />zB+2=H(m’)<br />zB+1<br />mB+1<br />z’B+1<br />m’B+1<br />zB<br />mB<br />z’B<br />m’B<br />. . .<br />. . .<br />z3<br />z3<br />notequal<br />z2<br />m2<br />z’2<br />m’2<br />z1 = IV<br />m1<br />z’1 = IV<br />m’1<br />
  • 67. 64<br />equal<br />zB+2=H(m)<br />zB+2=H(m’)<br />zB+1<br />mB+1<br />z’B+1<br />m’B+1<br />Leti*be the leasti suchthat<br />(mi,zi) = (m’i,z’i) <br />(becausem ≠ m’suchani* &amp;gt; 1alwaysexists!)<br />zB<br />mB<br />z’B<br />m’B<br />. . .<br />. . .<br />z2<br />m2<br />z’2<br />m’2<br />z1 = IV<br />m1<br />z’1 = IV<br />m’1<br />
  • 68. 65<br />So, we have found a collision!<br />equal<br />zi*<br />z’i*<br />h<br />h<br />notequal<br />zi*-1<br />mi*-1<br />z’i*-1<br />m’i*-1<br />
  • 69. 66<br />Option 2: |m| ≠ |m’|<br />equal<br />H(m)<br />H(m’)<br />zB+1<br />mB+1<br />z’B’+1<br />m’B’+1<br />. . .<br />. . .<br />the last block encodesthe length on the messageso thesevaluescannotbeequal!<br />So, again we have found a collision!<br />
  • 70. 67<br />Concrete functions<br />MD5,<br />SHA-1, SHA-256,...<br />....<br />all use (variants of) Merkle-Damgårdtransformation. <br />Hashfunctions can alsobeconstructedusing the numbertheory.<br />
  • 71. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs:<br />from pairwise independent functions<br />from block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />concrete functions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  • 72. 69<br />What the industry says about the “hash and authenticate” method?<br />the block cipher is still there...<br />Why don’t we just hash a message together with a key:<br />MACk(m) = H(k || m)<br />?<br />It’s not secure!<br />
  • 73. 70<br />Suppose H was constructed using the MD-transform<br />she can fabricate this<br />MACk(m||t)<br />she can see this<br />t + L<br />MACk(m)<br />MACk(m)<br />zB<br />t<br />zB<br />t<br />z2<br />m<br />z2<br />m<br />IV<br />k<br />IV<br />k<br />L<br />
  • 74. 71<br />A better idea<br />M. Bellare, R. Canetti, and H. Krawczyk (1996):<br />NMAC (Nested MAC)<br />HMAC (Hash based MAC)<br />have some “provable properites”<br />They both use the Merkle-Damgårdtransform.<br /> Again, let h : {0,1}2L-&gt; {0,1}L be a compression function.<br />
  • 75. 72<br />NMAC<br />h<br />h<br />h<br />h<br />m<br />0000<br />m1<br />mB<br />mB+1 := |m|<br />. . .<br />k1<br />k2<br />NMAC(k1,k2) (m)<br />
  • 76. 73<br />h<br />What can be proven<br />Suppose that<br />his collision-resistant<br />the following function is a secure MAC:<br />ThenNMAC is a secure MAC.<br />m<br />k2<br />MACk2(m)<br />
  • 77. 74<br />Looks better, but <br />our libraries do not permit to change the IV<br />the key is too long: (k1,k2)<br />HMAC is the solution!<br />
  • 78. 75<br />HMAC<br />h<br />h<br />h<br />h<br />k xor ipad<br />m1<br />mB+1 := |m|<br />ipad = 0x36 repeated<br />opad = 0x5C repeated<br />. . .<br />IV<br />IV<br />h<br />HMACk (m)<br />k xoropad<br />
  • 79. 76<br />HMAC – the properties<br />Looks complicated, but it is very easy to implement (given an implementation of H):<br />HMACk(m) = H((k xoropad) || H(k xoripad || m))<br />It has some “provable properties” (slightly weaker than NMAC).<br />Widely used in practice.<br />We like it!<br />
  • 80. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs:<br />from pairwise independent functions<br />from block ciphers<br />Hash functions<br />a definition<br />constructions<br />the “birthday attack”<br />concrete functions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  • 81. Other uses of “hash functions”<br />Hash functions are used by practicioners to convert “non-uniform randomness” into a uniform one. <br />Example:<br />shorter “uniformlyrandom” H(m)<br />a hashfunction<br />H : {0,1}* -&gt; {0,1}L<br />usergeneratedrandomnessX (key strokes, mouse movements, etc.)<br />
  • 82. Example: password-based encryption<br />H – hash function<br />(E,D) – encryption scheme<br />messagem<br />m = D(H(π),c)<br />c = E(H(π),m)<br />Alice<br />Bob<br />shared password π<br />shared password π<br />Informally:<br />The only thing that Eve can do is to examine all possible passwords .<br />Warning:<br />there exist much better solutions for this problem<br />
  • 83. Random oracle model<br />[Bellare, Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, 1993]<br />Idea: model the hash function as a random oracle.<br />x<br />H(x)<br />a completely random function<br />H : {0,1}* -&gt; {0,1}L<br />
  • 84. Remember the pseudorandom functions?<br />x<br />x’<br />F(x)<br />F(x’)<br />A random function<br />F: {0,1}m-&gt;{0,1}m <br />x’’<br />F(x’’)<br />Crucial difference:<br />Also the adversary can query the oracle<br />
  • 85. 82<br />informal description:<br />“knows H”<br />a protocol<br />H<br />formal model:<br />Every call to H is replaced with a query to the oracle.<br />H : {0,1}* -&gt; {0,1}L<br />a protocol<br />also the adversary is allowed to query the oracle.<br />
  • 86. How would we use it in the proof?<br />shorter “uniformlyrandom” H(X)<br />a hashfunction<br />H : {0,1}* -&gt; {0,1}L<br />usergeneratedrandomnessX<br />As long as the adversary never queried the oracle on Xthe value H(X) “lookscompletelyrandomtohim”.<br />
  • 87. Criticism of the Random Oracle Model<br />[Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998]<br />There exists a signature scheme that is <br />secure in ROM <br />but<br />is not secure if the random oracle is replaced with any real hash function.<br />This example is very artificial. No “realistic” example of this type is know.<br />
  • 88. Terminology<br />Model without the random oracles:<br /><ul><li>“plain model”
  • 89. “cryptographic model”</li></ul>Random Oracle Model is also called:<br />the “Random Oracle Heuristic”.<br />Common view: a ROM proof is better than nothing.<br />
  • 90. Plan<br />Introduction to message authentication codes (MACs).<br />Constructions of MACs:<br />from pairwise independent functions<br />from block ciphers<br />Hash functions<br />a definition<br />constructions<br />a construction of MACs from hash functions<br />the random oracle model <br />
  • 91. Secure communication<br />1<br />2<br />3<br />4<br />
  • 92. Outlook<br />cryptography<br /> “information-theoretic”,<br /> “unconditional”<br />“computational”<br /><ul><li> one time pad,
  • 93. quantum cryptography,
  • 94. ...</li></ul>based on 2 simultaniousassumptions:<br />some problems are computationally difficult<br />our understanding of what “computational difficulty” means is correct.<br />
  • 95. Symmetric cryptography<br />symmetric cryptography<br />encryption<br />authentication<br />
  • 96. The basic information-theoretic tool<br />xor(one-time pad)<br />
  • 97. Basic tools from the computational cryptography<br />one-way functions<br />pseudorandom generators<br />pseudorandom functions/permutations<br />hash functions<br />
  • 98. A method for proving security: reductions<br />minicrypt<br />P ≠ NP<br />hash functions<br />one-way functions<br />pseudorandom generators<br />pseudorandom functions/permutations<br />computationally-secure authentication<br />in general the picture is much more complicated!<br />computationally-secure encryption<br />

×