css322y13s2l08 message authentication codes

8/11/2019 Css322y13s2l08 Message Authentication Codes

1/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

1/21

Message Authentication Codes

CSS322: Security and Cryptography

Sirindhorn International Institute of TechnologyThammasat University

Prepared by Steven Gordon on 28 October 2013css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex, r2965
http://find/http://goback/


2/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

2/21

Contents

Message Authentication Requirements and Functions

Authentication using Symmetric Key Encryption

Authentication with Message Authentication Codes

Security of MACs

MAC Algorithms
http://find/


3/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

3/21

Attacks on Communications across Network

1. Disclosure: encryption

2. Traffic analysis: encryption

3. Masquerade: message authentication

4. Content modification: message authentication

5. Sequence modification: message authentication

6. Timing modification: message authentication

7. Source repudiation: digital signatures

8. Destination repudiation: digital signatures
http://find/


4/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

4/21

Authentication

Receiver wants to verify:

1. Contents of the message have not been modified (data

authentication)2. Source of message is who they claim to be (source

authentication)

Different approaches available: Symmetric Key Encryption Message Authentication Codes (MACs) Hash Functions Public Key Encryption (i.e. Digital Signatures)
http://find/


5/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

5/21

Contents




Security of MACs

MAC Algorithms
http://find/


6/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

6/21

Symmetric Encryption for Authentication

Credit: Figure 12.1(a) in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011

Confidentiality: only B (and A) can recover plaintext

Source Authentication: A is only other user with key;must have come from A

Data Authentication: successfully decrypted; data hasnot been modified

Assumption: decryptor can recognise correct plaintext
http://find/


7/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

7/21

Recognising Correct Plaintext

Example 1

Breceives ciphertext (supposedly from A, using sharedsecret key K):

DPNFCTEJLYONCJAEZRCLASJTDQFY

Bdecrypts with key K to obtain plaintext:

SECURITYANDCRYPTOGRAPHYISFUN

Was the plaintext encrypted with key K (and hencesent by A)?

Is the ciphertext received the same as the ciphertext

sent by A?
http://find/


8/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

8/21


Example 2


QEFPFPQEBTOLKDJBPPXDBPLOOVX


FTUEUEFTQIDAZSYQEEMSQEADDKM



sent by A?


9/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

9/21


Example 3


0110100110101101010110111000010


0101110100001101001010100101110



sent by A?
http://find/


10/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

10/21


Example 1

Assume the message is English Plaintext had expected structure; assume the plaintext

is correct Sent by A and has not been modified

Example 2

Assume the message is English

Plaintext had no structure in expected language;assume plaintext is incorrect

Either not sent by A or modified

Example 3

Binary data, e.g. image, compressed file

Cannot know whether correctorincorrect
http://find/


11/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

11/21


Valid plaintexts should be small subset of all possiblemessages

E.g. 26n

possible messages of length n; only smallsubset are valid English phrases

Plaintext messages have structure

BUT automatically detecting structure can be difficult

Add structure to make it easier, e.g. Error detecting code or Frame Check Sequence Packet header
http://find/


12/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

12/21

Contents




Security of MACs

MAC Algorithms


13/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

13/21

Authentication with Message Authentication

Codes

Append small, fixed-size block of data to message:

cryptographic checksum or MAC

T=MAC(K, M)

M= input message

MAC= MAC functionK= shared secret key ofk bitsT= message authentication code (or tag) ofn bits

MAC function also called keyed hash function

MAC function similar to encryption, but does not needto be reversible Easier to design stronger MAC functions than

encryption functions


14/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

14/21

Example Uses of MAC

Credit: Figure 12.4 in Stallings, Cryptography and Network Security,5thEd.,Pearson2011
http://find/


15/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

15/21

Contents




Security of MACs

MAC Algorithms

CSS322


16/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

16/21

Requirement of MACs

Objective of Attacker

Assume MAC function is known, key K is not For valid MAC code for given message x

Requirement of MAC Function

Computation Resistance : given one or more text-MAC pairs[xi, MAC(K, xi)], computationally infeasible tocompute any text-MAC pair [x, MAC(K, x)]for new input x=xi

CSS322


17/21

CSS322

Introduction

Functions

Auth. with

Encryption

Auth. with MAC

Security

Algorithms

17/21

Security of MACs

Brute Force Attack on Key

Attacker knows [x1, T1] where T1 =MAC(K, x1) Key size ofkbits: brute force on key, 2k

But . . . many tags matchT1 For keys that produce tag T1, try again with [x2, T2]

Effort to find K is approximately 2k

Brute Force Attack on MAC value

For xm, find Tm without knowing K

Similar effort required as one-way/weak collisionresistant property for hash functions

For n bit MAC value length, effort is 2n

Effort to break MAC: min(2k,

2n

)

CSS322S f C


18/21

CSS322

Introduction

Functions

Auth. with

EncryptionAuth. with MAC

Security

Algorithms

18/21

Security of MACs

Cryptanalysis

Many different MAC algorithms; attacks specific toalgorithms

MAC algorithms generally considered secure

CSS322C


19/21

CSS322

Introduction

Functions

Auth. with


Security

Algorithms

19/21

Contents




Security of MACs

MAC Algorithms

CSS322MAC B d Bl k Ci h
http://find/


20/21

CSS322

Introduction

Functions

Auth. with


Security

Algorithms

20/21

MACs Based on Block Ciphers

Data Authentication Algorithm (DAA): based on DES;considered insecure

Cipher-Based Message Authentication Code (CMAC):mode of operation used with Triple-DES and AES

OMAC, PMAC, UMAC, VMAC, . . .

CSS322HMAC
http://find/


21/21

CSS322

Introduction

Functions

Auth. with


Security

Algorithms

21/21

HMAC

MAC function derived from cryptographic hashfunctions

MD5/SHA are fast in software (compared to blockciphers) Libraries for hash functions widely available

HMAC(K, M) =H((K opad)||H((K ipad)||M))

where ipad= 00110110 repeated, opad= 01011100repeated

Security of HMAC depends on security of hash functionused
http://find/

css322y13s2l08 message authentication codes

Documents