Lecture 2 Message Authentication

  • 724 views
Uploaded on

 

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
724
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
44
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Lecture 2Message Authentication
    StefanDziembowski
    UniversityofRome
    La Sapienza
  • 2. Plan
    Introduction to message authentication codes (MACs).
    Constructions of MACs block ciphers
    Hash functions
    a definition
    constructions
    the “birthday attack”
    a construction of MACs from hash functions
    the random oracle model
  • 3. Secure communication
    1
    2
    3
    4
  • 4. 4
    Message Authentication
    Integrity:
    M
    Alice
    Bob
    interferes with the transmission
    (modifies the message, or inserts a new one)
    How can Bob be sure that M really comes from Alice?
  • 5. 5
    Sometimes: more importantthansecrecy!
    transfer 1000 $ to Bob
    transfer 1000 $ to Eve
    Alice
    Bank
    Of course: usually we want both secrecy and integrity.
  • 6. 6
    Does encryption guarantee message integrity?
    Idea:
    Alice encrypts m and sends c=Enc(k,m) to Bob.
    Bob computes Dec(k,m), and if it “makes sense” accepts it.
    Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext.
    It does not work!
    Example: one-time pad.
    transfer 1000 $ to Bob
    plaintext M
    If Eve knows M and C then she can calculate K and produce a ciphertext of any other message
    key K
    xor
    ciphertext C
  • 7. 7
    Message authentication
    verifies if
    t=Tagk(m)
    (m, t=Tagk(m))
    m
    Alice
    Bob
    k
    k
    Eve can see (m, t=Tagk(m))
    She should not be able to compute a valid tag t’ on any other message m’.
  • 8. 8
    Message authentication – multiple messages
    (m1, t1 =Tagk(m1))
    m1
    (m2, t2=Tagk(m2))
    m2
    . . .
    . . .
    Alice
    Bob
    (mw, tw=Tagk(mw))
    mt
    k
    k
    Eve should not be able to compute a valid tag t’ on any other message m’.
  • 9. 9
    Message Authentication Codes – the idea
    (m, t=Tagk(m))
    m є {0,1}*
    Vrfyk(m,t)є {yes,no}
    Alice
    Bob
    k
    k
    k ischosenrandomlyfrom some set K
  • 10. A mathematical view
    K– key space
    M– plaintext space
    T - set oftags
    A MAC schemeis a pair (Tag, Vrfy), where
    • Tag : K × M → Tis an taggingalgorithm,
    • 11. Vrfy:K× M × T→ {yes, no}is a verificationalgorithm.
    We will sometimes write Tagk(m) and Vrfyk(m,t) instead of Tag(k,m) and Vrfy(k,m,t).
    Correctness
    it shouldalways holds that:Vrfyk(m,Tagk(m)) = yes.
  • 12. Conventions
    If Vrfyk(m,t) = yesthen we say that tis a valid tag on the message m.
    If Tag is deterministic, then Vrfyjust computes Tagand compares the result.
    In this case we do not need to define Vrfyexplicitly.
  • 13. 12
    How to define security?
    We need to specify:
    how the messages m1,...,mware chosen,
    what is the goal of the adversary.
    Good tradition:be as pessimistic as possible!
    Therefore we assume that
    The adversary is allowed to chose m1,...,mw.
    The goal of the adversary is to produce a valid tag onsome m’ such that m’ ≠m1,...,mw.
  • 14. 13
    security parameter
    1n
    selects random ak Є{0,1}n
    m1
    adversary
    (m1, t=Tagk(m1))
    oracle
    . . .
    mw
    (mw, t=Tagk(mw))
    We say that the adversary breaks the MAC scheme at the end she outputs (m’,t’) such that
    Vrfy(m’,t’) = yes
    and
    m’ ≠m1,...,mw
  • 15. 14
    The security definition
    We say that (Tag,Vrfy) is secure if
    A
    P(A breaks it) is negligible (inn)
    polynomial-timeadversary A
  • 16. 15
    Aren’t we too paranoid?
    Maybe it would be enough to require that:
    the adversary succeds only if he forges a message that “makes sense”.
    (e.g.: forging a message that consists of random noise should not count)
    Bad idea:
    hard to define,
    is application-dependent.
  • 17. 16
    (m, t)
    (m, t)
    (m, t)
    Warning: MACs do not offer protection against the “replay attacks”.
    (m, t)
    Alice
    Bob
    Since Vrfyhas no state (or “memory”) there is no way to detect that (m,t) is not fresh!
    . . .
    This problem has to be solved by the higher-level application
    (methods: time-stamping, sequence numbers...).
  • 18. Authentication and Encryption
    Options:
    Encrypt-and-authenticate:
    c := Enck1(m) and t:= Tagk2 (m), send (c,t)
    Authenticate-then-encrypt:
    t:= Tagk2 (m) and c := Enck1(m||t), send (c,t)
    Encrypt-then-authenticate:
    c := Enck1(m) and t:= Tagk2 (c), send (c,t)
    c := Enck1(m)
    c := Enck1(m ||t)
    m
    t:= Tagk2 (m)
    m
    t:= Tagk2 (m)
    wrong
    better
    the best
    t:= Tagk2 (c)
    m
    c := Enck1(m)
  • 19. 18
    Constructing a MAC
    There exist MACs that are secure even if the adversary is infinitely-powerful.These constructions are not practical.
    MACs can be constructed from the block-ciphers. We will now discuss to constructions:
    simple (and not practical),
    a little bit more complicated (and practical) – a CBC-MAC
    MACs can also be constructed from the hash functions (NMAC, HMAC).
  • 20. Plan
    Introduction to message authentication codes (MACs).
    Constructions of MACs from block ciphers
    Hash functions
    a definition
    constructions
    the “birthday attack”
    concrete functions
    a construction of MACs from hash functions
    the random oracle model
  • 21. A simple construction from a block cipher
    Let
    F : {0,1}n× {0,1}n -> {0,1}n
    be a block cipher.
    We can now define a MAC scheme that works only for messages m Є{0,1}n as follows:
    Tag(k,m) = F(k,m)
    It can be proven that it is a secure MAC.
    How to generalize it to longer messages?
    F(k,m)
    Fk
    k
    m
    20
  • 22. 21
    Idea 1
    • divide the message in blocksm1,...,md
    • 23. and authenticateeach block separately
    F(k,m1)
    F(k,md)
    Fk
    Fk
    . . .
    m1
    md
    Thisdoesn’t work!
  • 24. 22
    What goes wrong?
    m:
    t = Tagk(m):
    perm
    m’ = perm(m):
    t’ = perm(t):
    Then t’ is a valid tag on m’.
  • 25. 23
    Idea 2
    Add a counter to each block.
    F(k,x1)
    F(k,xd)
    Fk
    Fk
    . . .
    m1
    md
    1
    d
    x1
    xd
    This doesn’t work either!
  • 26. 24
    mi
    i
    xi
    m:
    t = Tagk(m):
    m’ = a prefix of m:
    t’ = a prefix of t:
    Then t’ is a valid tag on m’.
  • 27. 25
    Idea 3
    Addl := |m|toeach block
    F(k,x1)
    F(k,xd)
    Fk
    Fk
    . . .
    m1
    md
    1
    d
    l
    l
    x1
    xd
    This doesn’t work either!
  • 28. 26
    m1
    1
    l
    xi
    What goes wrong?
    m:
    m’:
    t = Tagk(m):
    t’ = Tagk(m’):
    m’’= first half from m|| second half from m’
    t’’ = first half from t || second half from t’
    Then t’’ is a valid tag on m’’.
  • 29. 27
    Idea 4
    Add a freshrandomvaluetoeach block!
    F(k,x1)
    F(k,xd)
    Fk
    Fk
    . . .
    md
    d
    l
    r
    md
    d
    l
    r
    x1
    xd
    Thisworks!
  • 30. 28
    tagk(m)
    F(k,x1)
    F(k,x2)
    F(k,xd)
    r
    Fk
    Fk
    Fk
    . . .
    . . .
    1
    l
    r
    m2
    2
    r
    md
    d
    r
    m1
    l
    l
    x2
    x1
    xd
    . . .
    r is chosen randomly
    m1
    m2
    md
    m
    000
    n – block length
    l
    |mi| = n/4
    pad with zeroes if needed
  • 31. 29
    This construction can be proven secure
    Theorem
    Assuming that
    F : {0,1}n× {0,1}n -> {0,1}n is a pseudorandompermutation
    the construction from the previous slide is a secure MAC.
    Proof idea:
    Suppose it is not a secure MAC.
    Let A be an adversary that breaks it with a non-negligible probability.
    We construct a distinguisher D that distinguishes F from a random permutation.
  • 32. A new member of “Minicrypt”
    one-way functions
    exist
    this can be proven
    this we already knew
    computationally-secure
    MACs exist
    cryptographic PRGs
    exist
    this we have just proven
  • 33. 31
    Problem:
    The tag is 4 times longer than the message...
    This construction is not practical
    We can do much better!
  • 34. 32
    CBC-MAC
    F : {0,1}n× {0,1}n -> {0,1}n- a block cipher
    tagk(m)
    Fk
    Fk
    Fk
    Fk
    Fk
    . . .
    m1
    m2
    m3
    md
    |m|
    m
    0000
    pad with zeroes if needed
    Other variants exist!
  • 35. 33
    tagk(m)
    Fk
    Fk
    Fk
    Fk
    Fk
    . . .
    m1
    m2
    m3
    md
    |m|
    Why is this needed?
    Suppose we donot prepend |m|...
  • 36. 34
    t1=tagk(m1)
    t2=tagk(m2)
    the adversarychooses:
    Fk
    Fk
    m1
    m2
    t’= tagk(m’)
    t1
    t’ = t2
    Fk
    Fk
    now she can compute:
    m2
    m1
    m2xor t1
    m’
  • 37. 35
    Some practictioners don’t like the CBC-MAC
    We don’t want to authenticate using the block ciphers!
    What do you want to use instead?
    Hash functions!
    Why?
    Because:
    they are more efficient,
    they are notprotectedby the export regulations.
  • 38. Plan
    Introduction to message authentication codes (MACs).
    Constructions of MACs:
    from pairwise independent functions
    from block ciphers
    Hash functions
    a definition
    constructions
    the “birthday attack”
    concrete functions
    a construction of MACs from hash functions
    the random oracle model
  • 39. 37
    Another idea for authenticating long messages
    Fk(h(m))
    a block cipher
    Fk
    k
    h(m)
    a “hashfunction” h
    long m
    By the way: a similar method is used in the public-key cryptography (it is called “hash-and-sign”).
  • 40. How to formalize it?
    We need to define what is a “hash function”.
    The basic property that we require is:
    “collision resistance”
  • 41. 39
    Collision-resistant hash functions
    short H(m)
    a hash function
    H : {0,1}* -> {0,1}L
    longm
    collision-resistance
    a “collision”
    Requirement: itshouldbe hard tofind a pair(m,m’)suchthat
    H(m) =H(m’)
  • 42. 40
    Collisions always exist
    domain
    m
    range
    m’
    Since the domain islargerthan the range the collisionshavetoexist.
  • 43. 41
    “Practical definition”
    H is a collision-resistanthashfunctionifitis “practicallyimpossibletofindcollisions in H”.
    Popularhashfuncitons:
  • 42
    How to formally define “collision resitance”?
    Idea
    Saysomethinglike: His a collision-resistanthashfunctionif
    A
    P(A finds a collision in H) is small
    efficientadversary A
    Problem
    For a fixedHtherealwaysexist a constant-timealgorithmthat “finds a collision in H” in constanttime.
    Itmaybe hard tofindsuchanalgorithm, butitalwaysexists!
  • 46. 43
    Solution
    Whenwe prove theoremswewillalwaysconsider
    familiesofhashfunctions
    indexedby a key s
    {Hs} s є keys
  • 47. 44
    informal description:
    “knows H”
    a protocol
    H
    H
    H
    formal model:
    sis chosen
    randomly
    a protocol
    s
    Hs
    Hs
    Hs
  • 48. 45
    informal description:
    “knows H”
    a protocol
    H
    H
    H
    H
    real-life implementation (example):
    “knows SHA1”
    a protocol
    SHA1
    SHA1
    SHA1
  • 49. 46
    Hash functions – the functional definition
    A hashfunctionis a probabilisticpolynomial-time algorithmH such that:
    H takes as input a key sє {0,1}nand a message x є {0,1}*and outputs a string
    Hs(x)є {0,1}L(n)
    where L(n)is some fixed function.
  • 50. 47
    Hashfunctions – the security definition [1/2]
    1n
    selects a random
    s є {0,1}n
    s
    outputs (m,m’)
    WesaythatadversaryAbreaks the functionHifHs(m) = Hs(m’).
  • 51. 48
    Hash functions – the security definition [2/2]
    His a collision-resistanthashfunctionif
    A
    P(A breaks H)is negligible
    polynomial-timeadversary A
  • 52. 49
    How to formalize our idea?
    Fk(h(m))
    a block cipher
    Fk
    k
    h(m)
    a “hashfunction” h
    long m
  • 53. Authentication scheme - formally
    A key for the MAC is a pair:
    (s,k)
    a key for the hash function H
    a key for the PRP F
    Tag((k,s),m) = Fk(Hs(m))
    Theorem. If H and F are secure then Tag is secure.
    This is proven as follows.
    Suppose we have an adversary that breaks Tag. Then we can construct:
    a distinguisher for F
    an adversary for H
    or
    simulates
    simulates
  • 54. Do collision-resilient hash functions belong to minicrypt?
    collision-resilient hash functions exist
    ?
    open problem
    easy exercise
    one-way functions
    exist
    [D. Simon: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? 1998]:
    there is no “black-box reduction”.
  • 55. 52
    A common method for constructing hash functions
    Construct a “fixed-input-length” collision-resistanthashfunctionCallit: a collision-resistantcompressionfunction.
    Useittoconstruct a hashfunction.
    L
    h(m)
    h : {0,1}2·L-> {0,1}L
    m
    2·L
  • 56. 53
    h
    h
    h
    An idea
    pad with zeroes
    if needed
    t
    m
    0000
    . . .
    m1
    m2
    mB
    miє {0,1}L
    . . .
    IV
    H(m)
    can be arbitrary
    This doesn’t work...
  • 57. 54
    Why is it wrong?
    t
    m
    0000
    . . .
    m1
    m2
    mB
    If we set m’ = m || 0000 then H(m’) = H(m).
    Solution: add a block encoding “t”.
    t
    m’
    0000
    . . .
    m’1
    m’2
    m’B
    m’B+1 := t
  • 58. 55
    Merkle-Damgård transform
    h
    h
    h
    h
    given h : {0,1}2L-> {0,1}Lwe construct H : {0,1}*-> {0,1}L
    doesn’t need to be know in advance
    (nice!)
    t
    m
    0000
    m1
    m2
    mB
    mB+1 := t
    miє {0,1} L
    . . .
    IV
    H(m)
  • 59. 56
    This construction is secure
    Wewouldliketo prove the following:
    Theorem
    If
    h : {0,1}2L-> {0,1}L
    is a collision-resistant compression function
    then
    H : {0,1}*-> {0,1}L
    is a collision-resistant hash function.
    But wait….
    It doesn’t make sense…
  • 60. What to do?
    To be formal, we would need to consider
    families of functionsh and Hindexed by key s
    Let’s stay on the informal level and “argue” that:
    “if one can find a collision in H then one can find a collision in h”
  • 61. 58
    abreaksh
    (m,m’)
    AbreaksH
    a collision in H
    outputsa collision(x,y) in h
  • 62. 59
    How to compute a collision (x,y) in h from a collision (m,m’) in H?
    Weconsidertwooptions:
    |m| = |m’|
    |m| ≠ |m’|
  • 63. 60
    Option 1: |m| = |m’|
    t
    m
    0000
    m1
    m2
    mB
    mB+1 := t
    t
    m
    0000
    m1
    m2
    mB
    mB+1 := t
  • 64. |m| = |m’|
    h
    h
    h
    h
    Some notation:
    m
    0000
    m1
    m2
    mB
    mB+1 := t
    . . .
    IV
    zB+1
    z2
    z1
    z3
    zB
    H(m)
    61
  • 65. 62
    |m| = |m’|
    h
    h
    h
    h
    For m’:
    m’
    0000
    m’1
    m’2
    m’B
    m’B+1 := t
    . . .
    IV
    z’2
    z’1
    z’3
    z’B+1
    H(m’)
    z’B
  • 66. 63
    equal
    zB+2=H(m)
    zB+2=H(m’)
    zB+1
    mB+1
    z’B+1
    m’B+1
    zB
    mB
    z’B
    m’B
    . . .
    . . .
    z3
    z3
    notequal
    z2
    m2
    z’2
    m’2
    z1 = IV
    m1
    z’1 = IV
    m’1
  • 67. 64
    equal
    zB+2=H(m)
    zB+2=H(m’)
    zB+1
    mB+1
    z’B+1
    m’B+1
    Leti*be the leasti suchthat
    (mi,zi) = (m’i,z’i)
    (becausem ≠ m’suchani* > 1alwaysexists!)
    zB
    mB
    z’B
    m’B
    . . .
    . . .
    z2
    m2
    z’2
    m’2
    z1 = IV
    m1
    z’1 = IV
    m’1
  • 68. 65
    So, we have found a collision!
    equal
    zi*
    z’i*
    h
    h
    notequal
    zi*-1
    mi*-1
    z’i*-1
    m’i*-1
  • 69. 66
    Option 2: |m| ≠ |m’|
    equal
    H(m)
    H(m’)
    zB+1
    mB+1
    z’B’+1
    m’B’+1
    . . .
    . . .
    the last block encodesthe length on the messageso thesevaluescannotbeequal!
    So, again we have found a collision!
  • 70. 67
    Concrete functions
    MD5,
    SHA-1, SHA-256,...
    ....
    all use (variants of) Merkle-Damgårdtransformation.
    Hashfunctions can alsobeconstructedusing the numbertheory.
  • 71. Plan
    Introduction to message authentication codes (MACs).
    Constructions of MACs:
    from pairwise independent functions
    from block ciphers
    Hash functions
    a definition
    constructions
    the “birthday attack”
    concrete functions
    a construction of MACs from hash functions
    the random oracle model
  • 72. 69
    What the industry says about the “hash and authenticate” method?
    the block cipher is still there...
    Why don’t we just hash a message together with a key:
    MACk(m) = H(k || m)
    ?
    It’s not secure!
  • 73. 70
    Suppose H was constructed using the MD-transform
    she can fabricate this
    MACk(m||t)
    she can see this
    t + L
    MACk(m)
    MACk(m)
    zB
    t
    zB
    t
    z2
    m
    z2
    m
    IV
    k
    IV
    k
    L
  • 74. 71
    A better idea
    M. Bellare, R. Canetti, and H. Krawczyk (1996):
    NMAC (Nested MAC)
    HMAC (Hash based MAC)
    have some “provable properites”
    They both use the Merkle-Damgårdtransform.
    Again, let h : {0,1}2L-> {0,1}L be a compression function.
  • 75. 72
    NMAC
    h
    h
    h
    h
    m
    0000
    m1
    mB
    mB+1 := |m|
    . . .
    k1
    k2
    NMAC(k1,k2) (m)
  • 76. 73
    h
    What can be proven
    Suppose that
    his collision-resistant
    the following function is a secure MAC:
    ThenNMAC is a secure MAC.
    m
    k2
    MACk2(m)
  • 77. 74
    Looks better, but
    our libraries do not permit to change the IV
    the key is too long: (k1,k2)
    HMAC is the solution!
  • 78. 75
    HMAC
    h
    h
    h
    h
    k xor ipad
    m1
    mB+1 := |m|
    ipad = 0x36 repeated
    opad = 0x5C repeated
    . . .
    IV
    IV
    h
    HMACk (m)
    k xoropad
  • 79. 76
    HMAC – the properties
    Looks complicated, but it is very easy to implement (given an implementation of H):
    HMACk(m) = H((k xoropad) || H(k xoripad || m))
    It has some “provable properties” (slightly weaker than NMAC).
    Widely used in practice.
    We like it!
  • 80. Plan
    Introduction to message authentication codes (MACs).
    Constructions of MACs:
    from pairwise independent functions
    from block ciphers
    Hash functions
    a definition
    constructions
    the “birthday attack”
    concrete functions
    a construction of MACs from hash functions
    the random oracle model
  • 81. Other uses of “hash functions”
    Hash functions are used by practicioners to convert “non-uniform randomness” into a uniform one.
    Example:
    shorter “uniformlyrandom” H(m)
    a hashfunction
    H : {0,1}* -> {0,1}L
    usergeneratedrandomnessX (key strokes, mouse movements, etc.)
  • 82. Example: password-based encryption
    H – hash function
    (E,D) – encryption scheme
    messagem
    m = D(H(π),c)
    c = E(H(π),m)
    Alice
    Bob
    shared password π
    shared password π
    Informally:
    The only thing that Eve can do is to examine all possible passwords .
    Warning:
    there exist much better solutions for this problem
  • 83. Random oracle model
    [Bellare, Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, 1993]
    Idea: model the hash function as a random oracle.
    x
    H(x)
    a completely random function
    H : {0,1}* -> {0,1}L
  • 84. Remember the pseudorandom functions?
    x
    x’
    F(x)
    F(x’)
    A random function
    F: {0,1}m->{0,1}m
    x’’
    F(x’’)
    Crucial difference:
    Also the adversary can query the oracle
  • 85. 82
    informal description:
    “knows H”
    a protocol
    H
    formal model:
    Every call to H is replaced with a query to the oracle.
    H : {0,1}* -> {0,1}L
    a protocol
    also the adversary is allowed to query the oracle.
  • 86. How would we use it in the proof?
    shorter “uniformlyrandom” H(X)
    a hashfunction
    H : {0,1}* -> {0,1}L
    usergeneratedrandomnessX
    As long as the adversary never queried the oracle on Xthe value H(X) “lookscompletelyrandomtohim”.
  • 87. Criticism of the Random Oracle Model
    [Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998]
    There exists a signature scheme that is
    secure in ROM
    but
    is not secure if the random oracle is replaced with any real hash function.
    This example is very artificial. No “realistic” example of this type is know.
  • 88. Terminology
    Model without the random oracles:
    • “plain model”
    • 89. “cryptographic model”
    Random Oracle Model is also called:
    the “Random Oracle Heuristic”.
    Common view: a ROM proof is better than nothing.
  • 90. Plan
    Introduction to message authentication codes (MACs).
    Constructions of MACs:
    from pairwise independent functions
    from block ciphers
    Hash functions
    a definition
    constructions
    a construction of MACs from hash functions
    the random oracle model
  • 91. Secure communication
    1
    2
    3
    4
  • 92. Outlook
    cryptography
    “information-theoretic”,
    “unconditional”
    “computational”
    based on 2 simultaniousassumptions:
    some problems are computationally difficult
    our understanding of what “computational difficulty” means is correct.
  • 95. Symmetric cryptography
    symmetric cryptography
    encryption
    authentication
  • 96. The basic information-theoretic tool
    xor(one-time pad)
  • 97. Basic tools from the computational cryptography
    one-way functions
    pseudorandom generators
    pseudorandom functions/permutations
    hash functions
  • 98. A method for proving security: reductions
    minicrypt
    P ≠ NP
    hash functions
    one-way functions
    pseudorandom generators
    pseudorandom functions/permutations
    computationally-secure authentication
    in general the picture is much more complicated!
    computationally-secure encryption