+ All Categories
Home > Documents > Message Authentication Codes - Thammasat...

Message Authentication Codes - Thammasat...

Date post: 07-Mar-2018
Category:
Upload: dangthu
View: 236 times
Download: 5 times
Share this document with a friend
of 28 /28
CSS322 Introduction Functions Auth. with Encryption Auth. with MAC Security Algorithms Message Authentication Codes CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 31 October 2012 CSS322Y12S2L09, Steve/Courses/2012/s2/css322/lectures/mac.tex, r2531
Transcript
Page 1: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Message Authentication Codes

CSS322: Security and Cryptography

Sirindhorn International Institute of TechnologyThammasat University

Prepared by Steven Gordon on 31 October 2012CSS322Y12S2L09, Steve/Courses/2012/s2/css322/lectures/mac.tex, r2531

Page 2: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Contents

Message Authentication Requirements and Functions

Authentication with Message Encryption

Authentication with Message Authentication Codes

Security of MACs

MAC Algorithms

Page 3: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Attacks on Communications across Network

1. Disclosure: encryption

2. Traffic analysis: encryption

3. Masquerade: message authentication

4. Content modification: message authentication

5. Sequence modification: message authentication

6. Timing modification: message authentication

7. Source repudiation: digital signatures

8. Destination repudiation: digital signatures

Page 4: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Message Authentication Functions

I Message authentication (and digital signature)mechanisms have two parts:

1. Function that produces authenticator2. Protocol that enables receiver to verify authenticity

I Three types of authentication functions:

1. Hash function2. Message encryption3. Message authentication code (MAC)

Page 5: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Contents

Message Authentication Requirements and Functions

Authentication with Message Encryption

Authentication with Message Authentication Codes

Security of MACs

MAC Algorithms

Page 6: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Symmetric Encryption for Authentication

I Confidentiality: only B (and A) can recover plaintext

I Source Authentication: A is only other user with key;must have come from A

I Data Authentication: successfully decrypted; data hasnot been modified

I Assumption: decryptor can recognise correct plaintext

Page 7: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Recognising Correct Plaintext

Example 1

B receives ciphertext (supposedly from A, using sharedsecret key K ):

DPNFCTEJLYONCJAEZRCLASJTDQFY

B decrypts with key K to obtain plaintext:

SECURITYANDCRYPTOGRAPHYISFUN

I Was the plaintext encrypted with key K (and hencesent by A)?

I Is the ciphertext received the same as the ciphertextsent by A?

Page 8: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Recognising Correct Plaintext

Example 2

B receives ciphertext (supposedly from A, using sharedsecret key K ):

QEFPFPQEBTOLKDJBPPXDBPLOOVX

B decrypts with key K to obtain plaintext:

FTUEUEFTQIDAZSYQEEMSQEADDKM

I Was the plaintext encrypted with key K (and hencesent by A)?

I Is the ciphertext received the same as the ciphertextsent by A?

Page 9: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Recognising Correct Plaintext

Example 3

B receives ciphertext (supposedly from A, using sharedsecret key K ):

0110100110101101010110111000010

B decrypts with key K to obtain plaintext:

0101110100001101001010100101110

I Was the plaintext encrypted with key K (and hencesent by A)?

I Is the ciphertext received the same as the ciphertextsent by A?

Page 10: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Recognising Correct Plaintext

Example 1

I Assume the message is EnglishI Plaintext had expected structure; assume the plaintext

is correctI Sent by A and has not been modified

Example 2

I Assume the message is EnglishI Plaintext had no structure in expected language;

assume plaintext is incorrectI Either not sent by A or modified

Example 3

I Binary data, e.g. image, compressed file

I Cannot know whether correct or incorrect

Page 11: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Recognising Correct Plaintext

I Valid plaintexts should be small subset of all possiblemessages

I E.g. 26n possible messages of length n; only smallsubset are valid English phrases

I Plaintext messages have structure

I BUT automatically detecting structure can be difficultI Add structure to make it easier, e.g.

I Error detecting code or Frame Check SequenceI Packet header

Page 12: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Adding Error Detecting Code

Page 13: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

TCP Segment

Page 14: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Public-Key Encryption for Authentication

I Only provides confidentiality

I Same assumption as before: plaintext must havestructure so can be recognised as correct or incorrect

Page 15: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Public-Key Encryption for Authentication

I Data authentication (data has not been modified)

I Digital signature: proof that message came from A

Page 16: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Public-Key Encryption for Authentication

I Both confidentiality, authentication and digital signature

Page 17: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Contents

Message Authentication Requirements and Functions

Authentication with Message Encryption

Authentication with Message Authentication Codes

Security of MACs

MAC Algorithms

Page 18: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Authentication with Message AuthenticationCodes

I Append small, fixed-size block of data to message:cryptographic checksum or MAC

T = MAC(K ,M)

M = input messageMAC = MAC functionK = shared secret key of k bitsT = message authentication code (or tag) of n bits

I MAC function also called keyed hash functionI MAC function similar to encryption, but does not need

to be reversibleI Easier to design stronger MAC functions than

encryption functions

Page 19: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Page 20: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Contents

Message Authentication Requirements and Functions

Authentication with Message Encryption

Authentication with Message Authentication Codes

Security of MACs

MAC Algorithms

Page 21: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Requirement of MACs

Objective of Attacker

I Assume MAC function is known, key K is not

I For valid MAC code for given message x

Requirement of MAC Function

Computation Resistance : given one or more text-MAC pairs[xi ,MAC (K , xi )], computationally infeasible tocompute any text-MAC pair [x ,MAC (K , x)]for new input x 6= xi

Page 22: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Security of MACs

Brute Force Attack on Key

I Attacker knows [x1,T1] where T1 = MAC (K , x1)

I Key size of k bits: brute force on key, 2k

I But . . . many tags match T1

I For keys that produce tag T1, try again with [x2,T2]

I Effort to find K is approximately 2k

Brute Force Attack on MAC value

I For xm, find Tm without knowing K

I Similar effort required as one-way/weak collisionresistant property for hash functions

I For n bit MAC value length, effort is 2n

Effort to break MAC: min(2k , 2n)

Page 23: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Security of MACs

Cryptanalysis

I Many different MAC algorithms; attacks specific toalgorithms

I MAC algorithms generally considered secure

Page 24: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

Contents

Message Authentication Requirements and Functions

Authentication with Message Encryption

Authentication with Message Authentication Codes

Security of MACs

MAC Algorithms

Page 25: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

MACs Based on Block Ciphers

I Data Authentication Algorithm (DAA): based on DES;considered insecure

I Cipher-Based Message Authentication Code (CMAC):mode of operation used with Triple-DES and AES

I OMAC, PMAC, UMAC, VMAC, . . .

Page 26: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

DAA

Page 27: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

CMAC

Page 28: Message Authentication Codes - Thammasat Universityict.siit.tu.ac.th/.../CSS322Y12S2L09-Message-Authentication-Codes.pdf · CSS322 Introduction Functions Auth. with Encryption Auth.

CSS322

Introduction

Functions

Auth. withEncryption

Auth. with MAC

Security

Algorithms

HMAC

I MAC function derived from cryptographic hashfunctions

I MD5/SHA are fast in software (compared to blockciphers)

I Libraries for hash functions widely available

HMAC(K ,M) = H((K ⊕ opad)||H((K ⊕ ipad)||M))

where ipad= 00110110 repeated, opad= 01011100repeated

I Security of HMAC depends on security of hash functionused


Recommended