![Page 1: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/1.jpg)
Message Authentication Codes (MACs) and Hashes
David [email protected] Mellon University
Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class, which is awesome!
![Page 2: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/2.jpg)
2
Recap so far• Information theoretically secure encryption: ciphertext reveals nothing about the
plaintext
• Secure PRNG: Given first k output bits, adversary should do not better than guessing bit k+1– Principle: next bit is secure, not just “random looking” output
• Secure PRF: Adversary can’t tell the difference between real random function and PRF– Principle: computationally indistinguishable functions
• Semantic security (computationally secure encryption): Adversary picks m0,m1, receives encryption of one of them, can’t do better than guessing on which messages was encrypted.– Principle: ciphertext reveals no information about plaintext– Security is not just about keeping key private
![Page 3: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/3.jpg)
3
Message IntegrityGoal: integrity (not secrecy)
Examples:– Protecting binaries on disk.
– Protecting banner ads on web pages
Security Principles: – Integrity means no one can forge a signature
![Page 4: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/4.jpg)
4
CRC
Is this Secure?• No! Attacker can easily modify message m and
re-compute CRC.• CRC designed to detect random errors, not malicious
attacks.
Generate tag:tag CRC(m)
Verify tag:CRC(m, tag) ?= ‘yes’
Alice BobS Vmessage tag
![Page 5: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/5.jpg)
5
Message Authentication Codes (MAC)
Defn: A Message Authentication Code (MAC) MAC = (S,V) defined over (K,M,T) is a pair of algorithms:
– S(k,m) outputs t in T
– V(k,m,t) outputs `yes’ or `no’
– V(k, m, S(k,m)) = ‘yes’ (consistency req.)
Alice BobS Vmessage tag
k ksecret key required
![Page 6: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/6.jpg)
6
Example
Authorized Stock TickerPublisher
1. k = KeyGen(l)2. For each price update: t = S(stock||price,k)
Publish
Adversary
t = A(stock||price up)
e.g., to cause a buying frenzy
A secure MAC should prevent this
ConsumeV
![Page 7: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/7.jpg)
Example: TripwireAt install time, generate a MAC on all files:
F1
t1 = S(k,F1)
F2
t2 = S(k,F2)
Fn
tn = S(k,Fn)
⋯filename filename filename
Later a virus infects system and modifies system files
User reboots into clean OS and supplies password– Then: secure MAC all modified files will be detected⇒
![Page 8: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/8.jpg)
8
Secure MAC Game
Security goal: A cannot produce a valid tag on a message
– Even if the message is gibberish
Challenger1. k = KeyGen(l)
3. Compute i in 1...q: ti = S(mi, k)
5. b = V(m,t,k)
Adversary A
2. Picks m1, ..., mq
4. picks m not in m1,...,mq
Generates t
m1,...,mq
t1,...,tq
m,t
b = {yes,no} existential forgery if b=“yes”
![Page 9: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/9.jpg)
9
Secure MAC Game
Def: I=(S,V) is a secure MAC if for all “efficient” A:
AdvMAC[A,I] = Pr[Chal. Outputs “yes”] < ε
Challenger1. k = KeyGen(l)
3. Compute i in 1...q: ti = S(mi, k)
5. b = V(m,t,k)
Adversary A
2. Picks m1, ..., mq
4. picks m not in m1,...,mq
Generates t
m1,...,mq
t1,...,tq
m,t
b = {yes,no}
![Page 10: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/10.jpg)
Let I = (S,V) be a MAC.
Suppose an attacker is able to find m0 ≠ m1 such that
S(k, m0) = S(k, m1) for ½ of the keys k in K
Can this MAC be secure?
1. Yes, the attacker cannot generate a valid tag for m0 or m1
2. No, this MAC can be broken using a chosen msg attack3. It depends on the details of the MAC
1. A sends m0, receives (m0, t0)
2. A wins with (m1, t0)
3. Adv[A,I] = ½ since prob. of key is ½.
![Page 11: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/11.jpg)
11
MACs from PRFs
![Page 12: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/12.jpg)
12
Secure PRF implies secure MACFor a PRF F: K × X Y, define a MAC I⟶ F = (S,V) as:
– S(k,m) = F(k,m)
– V(k,m,t): if t = F(k,m), output ‘yes’ else ‘no’
tag F(k,m) accept msg if
tag = F(k,m)
Attacker who knows F(k,m1), F(k,m2), ..., F(k, mq)
has no better than 1/|Y| chance of finding valid tag for new m
Alice BobS Vm, tag
![Page 13: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/13.jpg)
13
SecurityThm: If F: K×X Y⟶ is a secure PRF and 1/|Y| is negligible (i.e., |Y| is large), then IF is a secure MAC.
In particular, for every eff. MAC adversary A attacking IF, there exists an eff. PRF adversary B attacking F s.t.:
AdvMAC[A, IF] = AdvPRF[B, F] + 1/|Y|
A can’t do better than
brute forcing
![Page 14: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/14.jpg)
14
Proof Sketch
A wins iff t=f(k,m) and m not in m1,...,mq
PR[A wins] = Pr[A guesses value of rand. function on new pt]
= 1/|Y|
b
Let f be a truly random function
m1,...,mq
Adversary A
1. Picks m1, ..., mq
4. picks m not in m1,...,mq. Generates t
t1,...,tx
m,t
Challenger
2. f from FUNS[X,Y]3. Calculatesti = f(k, mi)
![Page 15: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/15.jpg)
15
QuestionSuppose F: K × X Y ⟶ is a secure PRF with Y = {0,1}10
Is the derived MAC IF a practically secure MAC system?
1. Yes, the MAC is secure because the PRF is secure
2. No tags are too short: guessing tags isn’t hard
3. It depends on the function F
Adv[A,F] = 1/1024 (we need |Y| to be large)
![Page 16: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/16.jpg)
16
Secure PRF implies secure MAC
S(k,m) = F(k,m)
Assuming output domain Y is large
So AES is already a secure MAC.... ... but AES is only defined on 16-byte messages
![Page 17: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/17.jpg)
17
Given: a PRF for shorter messages (e.g., 16 bytes)Goal: build a MAC for longer messages (e.g., gigabytes)
Construction examples:– CBC-MAC: Turn small PRF into big PRF– HMAC: Build from collision resistance– (Others not covered: NMAC/PMAC)
Building Secure MACs
![Page 18: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/18.jpg)
18
raw CBC
Construction 1: Encrypted CBC-MAC(ECBC-MAC)
F(k,) F(k,) F(k,)
m[0] m[1] m[3] m[4]
F(k,)
F(k1,)tagLet F: K × X X⟶ be a PRP
Define new PRF FECBC : K2 × X≤L X ⟶
Why?<= L means any length
IV
assume 0
![Page 19: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/19.jpg)
19
AttackSuppose we define a MAC IRAW = (S,V) where
S(k,m) = rawCBC(k,m)
Then IRAW is easily broken using a 1-chosen msg attack.
Adversary works as follows:1. Choose an arbitrary one-block message mX
2. Request tag for m. Get t = F(k,m)
3. Output t as MAC forgery for the 2-block message m|| tm
![Page 20: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/20.jpg)
20
Attack
t
F(k,)
m
Break in 1-chosen message attack
Problem: rawCBC(k, m|| tm ) = F(k, F(k,m)(tm) ) = F(k, t(tm) ) = F(k,m) = t
IV
F(k,)
m tm
F(k,)
m
t
IV
![Page 21: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/21.jpg)
21
ECBC-MAC analysisRecall: We built ECBC-MAC from a PRP (e.g., block cipher)
F: K x X -> X
Theorem: For any L>0,
For every eff. q-query PRF adv. A attacking FECBC there
exists an eff. adversary B s.t.:
AdvPRF[A, FECBC] AdvPRP[B, F] + 2 q2 / |X|
CBC-MAC is secure as long as q << |X|1/2
After signing |X|1/2 messages, rekey
![Page 22: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/22.jpg)
22
Implications
AdvPRF[A, FECBC] AdvPRP[B, F] + 2 q2 / |
X|
# msgs MAC’ed with key
Suppose we want AdvPRF[A, FECBC] ≤ 1/232
– then (2q2 /|X|) < 1/232 – AES: |X| = 2128 q < 2⇒ 48
– 3DES: |X| = 264 q < 2⇒ 16
Must change key after 248, 216 msgs
128-32 = 96q2 = 248*2 = 296.
![Page 23: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/23.jpg)
23
Extension AttackSuppose the underlying PRF F is a PRP (e.g., AES). Let FBIG be ECBC. Then FBIG has the following extension property:
x,y,w: ∀ FBIG(k, x) = FBIG(k, y) F⇒ BIG(k, x||w) = FBIG(k, y||w)
F F F
m[0] ... w
k0
F(k,x) = F(k,y) here
F(k,x||w) = F(k,y||w) here
Attacker just needs to find such an x and y
![Page 24: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/24.jpg)
24
Collisions and the Birthday Paradox
![Page 25: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/25.jpg)
25
Birthday ParadoxPut n people in a room. What is the probability that 2 of them have the same birthday?
P1
P2
P3
P4
Pn
PR[Pi = Pj] > .5 with 23 people.(Think: n2 different pairs)
Rule of Thumb: N possibilities, and j random samples Pr[collision]≈ 50%
when j = sqrt(N)
![Page 26: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/26.jpg)
26
Generic attack on hash functionsLet H: M {0,1}n be a hash function ( |M| >> 2n )
Generic alg. to find a collision in time O(2n/2) hashes
Algorithm:1. Choose 2n/2 random messages in M:
m1, …, m2n/2 (distinct w.h.p )
2. For i = 1, …, 2n/2 compute ti = H(mi) {0,1}∈ n
3. Look for a collision (ti = tj). If not found, got back to step 1.
How well will this work?
![Page 27: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/27.jpg)
27
The birthday paradoxLet r1, …, ri {1,…,n} be indep. identically ∈distributed integers.
Thm: when i= 1.2 × n1/2 then Pr[ i≠j: r∃ i = rj ] ≥ ½
If H: M-> {0,1}n, then Pr[collision] ~ ½ with n1/2 hashes
![Page 28: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/28.jpg)
28
B=106
# samples n
50% prob of collision with ~1200 hashes
![Page 29: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/29.jpg)
29
Recall
AdvPRF[A, FECBC] AdvPRP[B, F] + 2 q2 / |
X|
# msgs MAC’ed with key
Suppose we want AdvPRF[A, FECBC] ≤ 1/232
– then (2q2 /|X|) < 1/232 – AES: |X| = 2128 q < 2⇒ 47
– 3DES: |X| = 264 q < 2⇒ 15
Must change key after 247, 215 msgs
Reason: the Birthday Paradox.
![Page 30: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/30.jpg)
30
Generic attackLet FBIG: K x M Y be a MAC with the extension property (e.g., CBC-MAC):
FBIG(k, x) = FBIG(k, y) F⇒ BIG(k, x||w) = FBIG(k, y||w)
1. For i = 1, …, 2n/2 get ti = F(k, mi,)
2. Look for a collision (ti = tj). (birthday paradox) If not found, got back to step 1.
3. Choose some w and for query t = FBIG(mi || w)
4. Output forgery (mj||w, t)
![Page 31: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/31.jpg)
31
Implications
AdvPRF[A, FECBC] AdvPRP[B, F] + 2 q2 / |
X|Suppose we want AdvPRF[A, FECBC] ≤ 1/232
– then (2q2 /|X|) < 1/232 – AES: |X| = 2128 q < 2⇒ 47
– 3DES: |X| = 264 q < 2⇒ 15
Need PRF that can quickly change keys.
![Page 32: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/32.jpg)
32
Padding
![Page 33: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/33.jpg)
33
F(k,) F(k,) F(k,)
m[0] m[1] m[3] m[4]
F(k,)
F(k1,)tag
What if msg not a multiple of block size?
Recall CBC-MAC???
![Page 34: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/34.jpg)
34
CBC MAC padding
Yes, the MAC is secure
No
It depends on the underlying MAC
m[0] m[1] m[0] 0000m[1]
Idea: pad m with 0’s
Is the resulting MAC secure?
Problem: given tag on msg m attacker obtains tag on m||0because pad(m) = pad(m||0)
Same Tag
$100 00
$10 000
![Page 35: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/35.jpg)
35
CBC MAC paddingFor security, padding must be one-to-one (i.e., invertible)!
m0 ≠ m1 pad(m⇒ 0) ≠ pad(m1)
ISO: pad with “100000”. Add new dummy block if needed.
– The “1” indicates beginning of pad.
m[0] m[1] m[0] m[1] 1000
m[0] m[1] m[0] m[1] 1000000000
If m is same as block size, add 1 block pad for
security
two distinct messages
map to two distinct
paddings
![Page 36: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/36.jpg)
37
HMAC (Hash-MAC)
Most widely used MAC on the Internet.
… but, we first we need to discuss hash function.
![Page 37: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/37.jpg)
38
Hash Functions
![Page 38: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/38.jpg)
39
Collision ResistanceLet H: X Y be a hash function ( |X| >> |Y| )
A collision for H is a pair m0 , m1 M such that:
H(m0) = H(m1) and m0 m1
A function H is collision resistant if for all (explicit) “eff” algs. A:
AdvCR[A,H] = Pr[ A outputs collision for H]
is “negligible”.
Example: SHA-256 (outputs 256 bits)
![Page 39: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/39.jpg)
40
General Idea
m
hk1PRF
k2
tag
Hash then PRF construction
![Page 40: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/40.jpg)
41
MACs from Collision ResistanceLet I = (S,V) be a MAC for short messages over (K,M,T) (e.g. AES)
Let H: X Y and S: K x Y T (|X| >> |Y|)
Def: Ibig = (Sbig , Vbig ) over (K, Xbig, Y) as:
Sbig(k,m) = S(k,H(m)) ; Vbig(k,m,t) = V(k,H(m),t)
Thm: If I is a secure MAC and H is collision resistant, then Ibig
is a secure MAC.
Example: S(k,m) = AES2-block-cbc(k, SHA-256(m)) is secure.
![Page 41: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/41.jpg)
42
MACs from Collision Resistance
Collision resistance is necessary for security:
Suppose: adversary can find m0 m1 s.t. H(m0) = H(m1).
Then: Sbig is insecure under a 1-chosen msg attack
step 1: adversary asks for t S(k, m⟵ 0)
step 2: output (m1 , t) as forgery
Sbig(k, m) = S(k, H(m)) ; Vbig(k, m, t) = V(k, H(m), t)
![Page 42: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/42.jpg)
44
Collision Resistance and Passwords
![Page 43: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/43.jpg)
45
PasswordsHow do we save passwords on a system?
– Idea 1: Store in cleartext– Idea 2: Hash
Enrollment: store h(password), where h is collision resistant
Verification: Check h(input) = stored passwd
Is this enough to be secure
![Page 44: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/44.jpg)
46
Brute ForceOnline Brute Force Attack:
input: hp = hash(password) to crackfor each i in dictionary fileif(h(i) == hp)output success;
Time Space Tradeoff Attack:precompute: h(i) for each i in dict file in hash tbl input: hp = hash(password) check if hp is in hash tbl “rainbow tables”
![Page 45: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/45.jpg)
47
SaltsEnrollment:
1. compute hp=h(password + salt)2. store salt || hp
Verification:3. Look up salt in password file4. Check h(input||salt) == hp
What is this good for security, given that the salt is public?
Salt doesn’t increase security against online attack, but does make tables much bigger.
![Page 46: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/46.jpg)
48
Merkle-DamgardHow to construct collision resistant hash functionshttp://www.merkle.com/
![Page 47: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/47.jpg)
49
Compression Function
A compression function mixes two fixed length inputs and produces a single fixed length output of the same size as one of the inputs
hK
MM
![Page 48: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/48.jpg)
50
The Merkle-Damgard iterated construction
Given h: T × X T (compression function)
we obtain H: X≤L T . Hi - chaining variables
PB: padding block
m[0] m[1] m[2] m[3] ll PB
IV(fixed) H(m)
H0 H1 H2 H3 H4
1000…0 ll msg len
64 bits
If no space for PB add another block
h h h h
![Page 49: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/49.jpg)
51
Security of Merkle-DamgardThm: if h is collision resistant then so is H.Proof Idea: via contrapositive. Collisions on H collision on ⇒ h
Suppose H(M) = H(M’). We build collision for h.
![Page 50: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/50.jpg)
52
Compression from a block cipherE: K× {0,1}n {0,1}n a block cipher.
The Davies-Meyer compression functionh(H, m) = E(m, H) H
Thm: Suppose E is an ideal cipher (collection of |K| random perms.).Finding a collision h(H,m)=h(H’,m’) takes O(2n/2) evaluations of (E,D).
E
mi
Hi
⨁Best possible !!
⨁
![Page 51: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/51.jpg)
53
Hash MAC (HMAC)Most widely used approach on the internet, e.g., SSL, SSH, TLS, etc.
![Page 52: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/52.jpg)
55
Attempt 1: Create MAC from Merkle-Damgard
Let H: X≤L T be a Merkle-Damgard hash, and:⟶ S(k,m) = H(k||m)is this secure? no! why?
m[0] m[1] m[2] m[3] || pad
IV(fixed) H(m)
H0 H1 H2 H3 H4
h h h h
Existential forgery: H(k||m[0..3]) = H(H(k||m[0...3])||w)
(just one more h)
![Page 53: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/53.jpg)
56
Build MAC out of a hash
• Example: H = SHA-256
HMAC: S( k, m ) = H( kopad , H( kipad || m ) )
Hash Mac (HMAC)
![Page 54: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/54.jpg)
57
HMAC
PB: Padding Block
m[0] m[1] m[2] || PB
h0 h1 h2 h3 h4
h h
h
h
IV
k ⨁ ipad
IV(fixed)
h
hk opad⨁ tag
![Page 55: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/55.jpg)
Authenticated Encryption and Cryptographic Protocols
![Page 56: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/56.jpg)
59
Encrypted with CBC and random IV
encrypted packets with key k
Destination Machine
Webserver(port = 80)
dest=80 msg a
msg a
Bob(port = 25)
msg b
k
k
IV1,
dest=25 msg bIV2,
Example Tampering Attack
Source
![Page 57: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/57.jpg)
60
Example Tampering Attack
Encrypted with CBC and random IV
encrypted packets with key k
Destination Machine
Webserver(port = 80)
dest=80 msg a
msg a
msg a
k
IV1,
dest=25 msg aIV2,
Eve can change destination (easy with CBC and rand IV)
k
Source
Bob(port = 25)
![Page 58: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/58.jpg)
61
Example Tampering Attack
Encrypted with CBC and random IV
encrypted packets with key k
Destination Machine
Webserver(port = 80)
dest=80 msg a
msg a
msg a
k
IV1,
dest=25 msg aIV2,
Eve can change destination (easy with CBC and rand IV)
k
Source
Bob(port = 25)
Active Attacker
![Page 59: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/59.jpg)
63
The Story So FarConfidentiality: semantic security against a CPA attack
– Examples: Using CBC with a PRP, AES
Integrity: security against existential forgery– Examples: CBC-MAC, NMAC, PMAC, HMAC
Now: security against tampering– Integrity + Confidentiality!
But you need to be careful in how you compose primitives
![Page 60: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/60.jpg)
64
Motivating Question: Which is Best?
E(kE , m||tag)S(kI, m)
m
Encryption Key = kE; MAC key = kI
Option 1: SSL (MAC-then-encrypt)
m tag m tag
S(kI , c)E(kE, m)
m
Option 2: IPsec (Encrypt-then-MAC)
m m tag
S(kI , m)E(kE, m)
m
Option 3: SSH (Encrypt-and-MAC)
m m tag
![Page 61: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/61.jpg)
65
An authenticated encryption system (E,D) is a cipher where
As usual: E: K × M × N C⟶ but D: K × C × N M { }⟶ ∪ ⊥
Security: the system must provide– Semantic security under CPA attack, and– ciphertext integrity. The attacker cannot create a
new ciphertext that decrypts properly.
reject ciphertext as invalid
![Page 62: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/62.jpg)
66
Chal. Adv A.
kK
c
m1 M
c1 E(k,m1)
b=1 if D(k,c) ≠⊥ and c { c1 , … , cq }
b=0 otherwise
b
m2 , …, mq
c2 , …, cq
Ciphertext Integrity GameFor b ={0,1}, define EXP(0) and EXP(1) as:
![Page 63: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/63.jpg)
67
Authenticated EncryptionDef: cipher (E,D) provides authenticated encryption (AE) if it is
(1) semantically secure under CPA, and(2) has ciphertext integrity
Counter-example: CBC with rand. IV does not provide AE
– D(k, ⋅) never outputs , hence adv. always wins ⊥ciphertext integrity game
![Page 64: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/64.jpg)
68
Implication 1: AuthenticityAttacker cannot fool Bob with a novel message
purporting to be from Alice
Alice Bob
k k
m1 , …, mq
ci = E(k, mi)
c
Cannot create valid c { c∉ 1, …, cq }
⇒ if D(k,c) ≠ Bob ⊥ guaranteed message is from someone who knows k (but could be a replay)
Eve
![Page 65: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/65.jpg)
69
Implication 2
Authenticated encryption ⇒
Security against chosen ciphertext attack
![Page 66: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/66.jpg)
70
Chosen Ciphertext AttacksDef: A CCA adversary has the capability to get ciphertexts of their choosing decrypted.
Alice Bob
k
Eve
k
VPNc = E(k,m) m
Eve sees c and m
c’
m’
![Page 67: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/67.jpg)
71
CCA Game Definition
b Chal.k K
Adv.
b’ {0,1}
mi,0 , mi,1 M : |mi,0| = |mi,1|
ci E(k, mi,b)
for i=1,…,q: (1) CPA query:
cj C : cj {c∉ 1, …, cq}
mj D(k, cj)
for j=1,…,r: (2) CCA query:
Ex: could query a
changed ci
![Page 68: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/68.jpg)
72
CCA Game Definition
b
Chal.k K
Adv.
b’ {0,1}
mi,0 , mi,1 M : |mi,0| = |mi,1|
ci E(k, mi,b)
for i=1,…,q: (1) CPA query:
ci C : ci {c∉ 1, …, ci-1}
mi D(k, ci)
(2) CCA query:
ENC = (E,D) is CCA secure iff the Adversary does not do statistically better than guessing.
![Page 69: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/69.jpg)
73
Example: CBC is not CCA Secure
Chal.kKb
Adv.m0 , m1 : |m0| = |m1|=1
c E(k, mb) = (IV, c[0])
c’ = (IV 1, c[0])⨁D(k, c’) = mb 1⨁ blearns b
![Page 70: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/70.jpg)
74
Thm: Let (E,D) be a cipher that provides AE. Then (E,D) is CCA secure .
AE implies CCA security!
![Page 71: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/71.jpg)
75
So What?Authenticated encryption assures security against:
– A passive adversary (CPA security)– An active adversary that can even decrypt some ciphertexts
(CCA security)
Limitations: – Does not protect against replay– Assumes no other information other than
message/ciphertext pairs can be learned.• Timing attacks out of scope• Power attacks out of scope• ...
![Page 72: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/72.jpg)
78
TheoremsLet (E,D) by a CPA secure cipher and (S,V) a MAC secure against existential forgery. Then:
1. Encrypt-then-MAC always provides authenticated encryption
2. MAC-then-encrypt may be insecure against CCA attacks
– however, when (E,D) is rand-CTR mode or rand-CBC, MAC-then-encrypt provides authenticated encryption
![Page 73: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/73.jpg)
79
Motivating Question: Which is Best?Encryption Key = kE; MAC key = kI
E(kE , m||tag)S(kI, m)
m
Option 1: SSL (MAC-then-encrypt)
m tag m tag
S(kI , c)E(kE, m)
m
Option 2: IPsec (Encrypt-then-MAC)
m m tag
S(kI , m)E(kE, m)
m
Option 3: SSH (Encrypt-and-MAC)
m m tag
✓AlwaysCorrect
![Page 74: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/74.jpg)
82
Summary
Encrypt-then-MAC• Provides integrity
of CT• Plaintext integrity• If cipher is
malleable, we detect invalid CT
• MAC provides no information about PT since it’s over the encryption
MAC-then-Encrypt• No integrity of CT• Plaintext integrity• If cipher is
malleable, can change message w/o detection
• MAC provides no information on PT since encrypted
Encrypt-and-MAC• No integrity on CT• Integrity of PT can be
verified• If cipher is malleable,
contents of CT can be altered; should detect at PT level
• May reveal info about PT in the MAC (e.g., MAC of same messages are the same)
![Page 75: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/75.jpg)
83
Recap 1• MACs from PRF
– CBC-MAC– Others: N(ested)MAC, P(arallel)MAC
• MACs from collision resistant hash functions– Make CRF with merkle-damgard from PRF
• Attackers goal: existential forgery
![Page 76: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/76.jpg)
84
Recap 2• Authenticated Encryption
– Chosen Ciphertext Attack (CCA) and CCA-secure ciphers
– AE game = CCA + CPA secure
• Encrypt-then-MAC always right– Don’t roll your own
![Page 77: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/77.jpg)
85
Further reading• J. Black, P. Rogaway: CBC MACs for Arbitrary-Length Messages: The
Three-Key Constructions. J. Cryptology 18(2): 111-131 (2005)
• K. Pietrzak: A Tight Bound for EMAC. ICALP (2) 2006: 168-179
• J. Black, P. Rogaway: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. EUROCRYPT 2002: 384-397
• M. Bellare: New Proofs for NMAC and HMAC: Security Without Collision-Resistance. CRYPTO 2006: 602-619
• Y. Dodis, K. Pietrzak, P. Puniya: A New Mode of Operation for Block Ciphers and Length-Preserving MACs. EUROCRYPT 2008: 198-219
![Page 78: Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012](https://reader035.vdocuments.site/reader035/viewer/2022070605/5a4d1ae77f8b9ab059979763/html5/thumbnails/78.jpg)
86
Questions?