macs message authentication and integrity - computer...
TRANSCRIPT
![Page 1: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/1.jpg)
Introduction MACs Timing attacks
MACs
Message authentication and integrity
Foundations of CryptographyComputer Science Department
Wellesley College
Fall 2016
Introduction MACs Timing attacks
Table of contents
Introduction
MACs
Timing attacks
![Page 2: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/2.jpg)
Introduction MACs Timing attacks
Secure communication and message integrity
Image a supermarket chain sendsan email request to purchase10,000 creates of coke⇤. Thesupplier has to consider:
1. Is the order authentic, i.e.,did the chain really issue anorder, or was it spoofed.
2. Even if it assuredly camefrom the chain, the suppliermust still ask whether thedetails are exactly asintended.
*The order itself is not secret and therefore the question of privacy does not
arise.
Introduction MACs Timing attacks
Encryption vs. Message Authentication
• Why not use encryption to insuremessage integrity? After all if theadversary cannot figure out whatyou are saying, what harm can shedo?
• Consider randomized counter modewhich we proved hasindistinguishable encryption undera chosen-plaintext attack.
• If the message structure is known(or can be guessed), then theattacker can manipulate ciphertextto cause predictable changes in theplaintext.*
*How?
![Page 3: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/3.jpg)
Introduction MACs Timing attacks
Using privacy to achieve authentication
• Suppose Bullwinkle transmits anASCII message M100 whichindicates that Rocky should pleasetransfer $100 from checkingaccount of Bullwinkle to checkingaccount of Boris.
• The adversary Boris wants tochange the amount from the $100to $900. Now if M100 had beensent in the clear, Boris could easilymodify it.
• But if M100 is encrypted so thatciphertext C100 is sent, how is Boristo modify C100 so as to makeRocky recover the di↵erentmessage M900?
Introduction MACs Timing attacks
Not so fast*
*The format of the message is known to all parties.
![Page 4: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/4.jpg)
Introduction MACs Timing attacks
And another thing ...
• In fact, sometimes confidentiality only gets in the way.
• We don’t encrypt our checks when we sign them.
• With message encryption, the protection is lost when themessage is decrypted. In addition, there is an overheadassociated with encryption and decryption
Introduction MACs Timing attacks
The problem in a nutshell
Authentication 15-3
Data authenticity or integrity
Sender S wants to send a message M to receiver R in such a way that R will be sure it came from S
But, adversary A controls the communications
channel.
![Page 5: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/5.jpg)
Introduction MACs Timing attacks
The solution: Message Authentication Codes (MACs)
Authentication 15-4
Message authentication code
One solution is to attach a fixed-length “tag” to the original message.
The tag, or MAC, serves to validate the authenticity of the message.
*Confidentiality isn’t always needed. In fact, sometimes confidentially only getsin the way.
Introduction MACs Timing attacks
Message Authentication Codes
Definition 4.1. A message authentication code (MAC) is a tuple ofprobabilistic polynomial-time algorithms (Gen, Mac, Vrfy) suchthat:
1. The key-generation algorithm Gen takes as input the securityparameter 1n and outputs a key k with |k | � n.
2. The tag-generation algorithm MAC takes as input a key k anda message m 2 {0, 1}⇤, and output a tag t. Since thisalgorithm may be randomized, we write t Mack(m).
3. The verification algorithm Vrfy takes as input a key k , amessage m, and a tag t. It outputs a bit b with b = 1meaning valid and b = 0 meaning invalid. We assume WLOGthat Vrfy is deterministic and so write this as b := Vrfyk(m, t).
It is required that for every n, k ,m Vrfyk(m,Mack(m)) = 1.
![Page 6: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/6.jpg)
Introduction MACs Timing attacks
Canonical verification
• For deterministic message authentication codes, the canonicalway to perform verification is to simply re-compute the tagand check for equality.
Introduction MACs Timing attacks
Security of message authentication codes
• Our goal is to detect anyattempt by the adversary tomodify the transmission.
• To accomplish this we seekMACs such that nopolynomial-time adversarycan generate a valid tag onany ”new” message that wasnot previously sent.
• Of course, the adversarymay have observed (or eveninfluenced the content) ofmany messages and theircorresponding tags beforetaking action.
![Page 7: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/7.jpg)
Introduction MACs Timing attacks
Secure MACs
The message authentication experiment Mac-forgeA,⇧(n):
1. A random key k is generated by running Gen(1n).
2. The adversary A is given input 1n and oracle access toMack(·). The adversary eventually outputs a pair (m, t). LetQ denote the set of all queries that A asked to its oracle.
3. The output of the experiment is defined to be 1 if and only if(1) Vrfy(m, t) = 1; and (2) m 62 Q.
Definition 4.2. A message authentication code⇧ = (Gen,Mac,Vrfy) is existentially unforgeable under an adaptive
chosen-message attack if for all probabilistic polynomial-timeadversaries A there exists a negligible function negl such that
Pr[Mac-forgeA,⇧(n) = 1] negl(n).
Introduction MACs Timing attacks
Bullwinkle buys a bike from Bois
Authentication 15-23
Bullwinkle buys a bike from Bois
Transfer $100 from my account to Bois
Adversary
Sender
Receiver
Transfer $100 from my account to Bois -- &*#@
Transfer $100 from my account to Bois -- &*#@
![Page 8: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/8.jpg)
Introduction MACs Timing attacks
Sometime later ...
Authentication 15-24
Sometime later ...
Adversary
Receiver Transfer $100 from my account to Bois -- &*#@
out to lunch
Introduction MACs Timing attacks
Replay attacks and MACs
• MACs provide no protectionagainst replay attacks.
• The problem is that MACsdo not incorporate anynotion of state in theirverification algorithms.Thus, every time a valid pair(m, t) is presented to Vrfykit returns the same answer.
• Protection against replayattacks is left to somehigher-level application.
![Page 9: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/9.jpg)
Introduction MACs Timing attacks
Dealing with replay attacks
Two common techniques fordealing with replay attacks*:
Sequence numbers: The senderassigns a unique sequencenumber i to each message whichthe receiver keeps track of. TheMAC tag is computed over theconcatenated message i |m.
Time stamps: Sender appendsthe current time to the message.When the receiver obtains amessage, it checks whether theincluded time-stamp is withinsome acceptable window of thecurrent time.
*Both schemes have certain drawbacks.
Introduction MACs Timing attacks
New tags on old messages
• Secure MACs ensure that an adversary cannot generate avalid tag on a new message that was never previouslyauthenticated.
• It does not rule out the possibility that an attacker might beable to generate a new tag on a previously authenticatedmessage.
• We may want to ensure that this cannot happen. To do so weconsider a modified experiment Mac-sforge that is definedexactly as Mac-forge except that now the set Q containspairs, (m, t) of oracle queries and their responses.
• An adversary succeeds if and only if A outputs (m, t) suchthat Vrfyk(m, t) = 1 and (m, t) /2 Q.
![Page 10: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/10.jpg)
Introduction MACs Timing attacks
Strong MACs
The message authentication experiment Mac-sforgeA,⇧(n):
1. A random key k is generated by running Gen(1n).
2. The adversary A is given input 1n and oracle access toMack(·). The adversary eventually outputs a pair (m, t). LetQ denote the set of all pairs,(m, t) that A queried Mack(m)and received tag t in response.
3. The output of the experiment is defined to be 1 if and only if(1) Vrfy(m, t) = 1; and (2) (m, t) 62 Q.
Definition 4.3. A message authentication code⇧ = (Gen,Mac,Vrfy) is strongly secure if for all probabilisticpolynomial-time adversaries A there exists a negligible functionnegl such that
Pr[Mac-sforgeA,⇧(n) = 1] negl(n).
Introduction MACs Timing attacks
Verification
Proposition 4.4. Let ⇧ = (Gen,Mac,Vrfy) be a secure MAC thatuses canonical verification, then ⇧ is a strong MAC.*
One can also consider an adversary who interacts with an honestreceiver, sending m
0, t 0 to the receiver to learn whetherVrfyk(m
0, t 0) = 1.
It is not hard to incorporate this into our definition of MACsecurity. However, for MACs that use canonical verification itmakes no di↵erence, any such MAC that satisfies Definition 4.2also remains secure when verification queries are possible.**
*Proof is left as an exercise.
**You guessed it, another exercise.
![Page 11: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/11.jpg)
Introduction MACs Timing attacks
Things that go bark in the night
• Consider an adversary whocan send message/tag pairsto the receiver and learn notonly whether the receiveraccepts or rejects, but alsothe time it takes to makethe decision.
• We show that a naturalimplementation of MACverification leads to an easilyexploitable vulnerability.
*This attack, which an example of a side-channel attack, shows that certain
real-world attacks are not captured by the usual definitions.
Introduction MACs Timing attacks
A potential timing attack
Assume a MAC using canonical verification that uses a standardroutine (like strcmp in C) for byte comparisons.
• Suppose the attacker already knows the first i � 0 bytes ofthe tag for message m.
• The attacker sends (m, t0), . . . , (m, t255) to the receiver,where tj is the string with the first i bytes set correct, the(i +1)th-byte equal to j , and the remaining bytes set to 0x00.
• All of these are likely to be rejected.* Else, for exactly one ofthese tags, say tj the first (i + 1) bytes will match the correcttag and rejection will take slightly longer. The attacker learnsthe (i + 1)th byte of the correct tag is j .
*If not the attacker wins right away.
![Page 12: MACs Message authentication and integrity - Computer Sciencecs.wellesley.edu/~cs310/lectures/11_MAC_slides_handouts.pdf · Computer Science Department Wellesley College Fall 2016](https://reader035.vdocuments.site/reader035/viewer/2022071000/5fbc41bdb5c269432e53c1f4/html5/thumbnails/12.jpg)
Introduction MACs Timing attacks
Right, but how realistic is this?
• This attack was carried outagains the MACs used toverify code updates in theXbox360.
• The implementation of MACverification had a di↵erenceof 2.2 milliseconds betweenrejection times.
• Attackers were able toexploit this and load piratedgames onto the hardware.