DOCSLIB.ORG

Message Authentication Code • Hash Function and Birthday Attack • SHA-1 and SHA-3 • HMAC

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Message Authentication Code • Hash Function and Birthday Attack • SHA-1 and SHA-3 • HMAC Chapter 5 Message Integrity 1 Outline • Message Authentication Code • Hash Function and Birthday Attack • SHA-1 and SHA-3 • HMAC 2 Message Authentication • For passive attacks: encryption • For active attacks: message authentication Message authentication can verify the authenticity and integrity of received messages, and also can verify the order and timeliness of messages. The authentication mechanism needs to generate an authenticator/tag. Authenticator/tag: The value used to authenticate the message. The methods of generating the authenticator are: message authentication code (MAC) and hash function 3 Message authentication code A fixed-length value used as an authenticator/tag generated from the message by a key-controlled public function, or a cryptographic checksum. Shared k ktag message m k Alice: m Bob Generate tag: Verify tag: tag S(k, m) V(k, m, tag) = ‘yes’ ? 4 Remarks If only Alice and the Bob know k, and the MAC of Bob is consistent with the received MAC. 1. Bob believes that the message sent by Alice has not been tampered. 2. Bob believes that Alice is not impersonating. The MAC algorithm is similar to the encryption algorithm except that the MAC algorithm does not have to be reversible, and thereby it is less susceptible to attacks than the encryption algorithm. MAC provides authentication without confidentiality. Examples: Protecting public binaries on disk. Protecting banner ads on web pages. 5 sender Remarks receiver compare (a) Message authentication compare (b) Authenticity and confidentiality: Authentication on plaintext compare (c) Authenticity and confidentiality: Authentication on ciphertext 6 Attacks on MAC (1) The cost of the exhaustive search attack for MAC is greater than the exhaustive search for encryption algorithm with the same length key. Given M||CK(M) =MAC, to find K (2) Some attack methods do not need to find the key used to generate the MAC. An attacker can fake a message for the given authentication tag. 7 Attack MAC (Find K) Round 1: Given M1 and MAC1, where MAC1 = CK(M1), calculate MACi = CKi (M1) for all 2k possible keys to yield 2k-n possible keys. Round 2: Given M2 and MAC2, where MAC2 = CK (M2), calculate MACi=CKi(M2) for 2k-n possible keys obtained in round 1, to obtain 2k-2×n possible keys. In this way, if k = αn, the above attack mode requires α rounds on average. For example, if the key length is 80 bits and the MAC length is 32 bits, then about 248 possible keys will be generated in round 1, 216 possible keys will be generated in round 2, and the correct K can be found in round 3. 8 Attack MAC (Fake Message) Let M=(X1‖X2‖...‖Xm), where Xi (i=1,...,m) is 64-bit block, (MXX ) 1 2 X m CMK() E K () M The encryption algorithm is ECB-DES. Thus, the key size is 56 bits and the MAC size is 64 bits. If the adversary gets M‖CK(M), then the adversary will need to do 256 encryptions using exhaustive search. However, the adversary can also hack the system in the following way: X1 ,, X m1 Y1 ,,Ym1 Ym Y 1Y2 Ym1 (M ) X Y m m M and M’ has the same MAC 伪造一新消息:Forge a new message 9 M Y1 Y2 Ym1 Ym Requirement of MAC MAC should satisfy the following requirements, assuming that the adversary knows the MAC algorithm C but does not know the key K: • If the adversary gets M and CK(M), constructing a new message M' that satisfies CK(M') = CK(M) is computationally infeasible. • CK(M) is uniformly distributed in the following sense: Two messages M -n and M‘ are randomly selected, Pr[CK(M)=CK(M')]=2 where n is the size of MAC. • If M' is a permutation of M, i.e., M' = f (M), for example, f is to insert one -n or more bits, then Pr[CK(M) = CK(M')] = 2 . 10 Data Authentication Algorithm One of the most widely used message authentication codes. • The algorithm is based on the DES algorithm with the CBC mode, • Its initial vector takes a zero vector. • The data is divided into 64-bit blocks D1, D2, ..., DN. • If the last block is less than 64 bits, some 0s can be padded on the right. 11 Data Authentication Algorithm O1 EDK ( 1 ) O2 EDK ( 2 O 1 ) O3 EDK ( 3 O 2 ) ON ED KN( O N 1 ) The data authentication code is ON or the leftmost m bits of ON, where 16 ≤ m ≤ 64. 12 Outline • Message Authentication Code • Hash Function and Birthday Attack • SHA-1 and SHA-3 • HMAC 13 Definition A hash family is a four-tuple I=(M, T, K, H), where the following conditions are satisfied: 1. M is a set of possible messages; 2. T is a finite set of possible message digests or authentication tags; 3. K, the key space, is a finite set of possible keys; 4. For each k K, there is a hash function Hk H, each Hk: M → T. • Unkeyed Hash Function H: M → T • Keyed hash function (Message Authentication Code) Hk: M → T 14 Hash Function By a hash function, it means a map H: {0,1}*{0,1}n, n N. hash function maps arbitrarily long strings to strings of fixed length. Example The map that sends * b1∙∙∙bk in {0, 1} to b1∙∙∙ bk is a hash function. 15 Preimage Preimage A hash function H: M → T and an element yT Find: m M such that H(m)=y Preimage-resistance: it is infeasible to find mM such that H(m)=y Second Preimage A hash function H: M → T and an element mM Find: m’ M such that m’≠m and H(m’)=H(m) Second Preimage-resistance: It is infeasible to find m’ M such that m’≠m and H(m’)=H(m) 16 Collision Resistance Let H: M T be a hash function ( |M| >> |T| ) A collision for H is a pair m0 , m1 M such that: H(m0) = H(m1) and m0 m1 A function H is collision resistant if for all (explicit) “eff” algs. A: AdvCR[A, H] = Pr[A outputs collision for H] is “neg”. Example: SHA-256 (outputs 256 bits) • Weaker than preimage resistance? • Stronger than second preimage resistance? 17 Collision Resistance A collision of H is a pair (m, m)M 2 for which m m and H(m) = H(m). There are collisions of all hash functions and compression functions because they are not injective. The function H(m) is called weak collision resistant if it is infeasible to compute a collision (m, m) for a given mM. The function H(m) is called (strong) collision resistant if it is infeasible to compute any collision (m, m) of H. 18 Birthday Attack We describe a simple attack on hash functions H: *n called the birthday attack. It attacks the strong collision resistance of H. The attack is based on the birthday paradox. 19 Birthday Paradox Birthday paradox: Suppose a group of people are in a room. What is the probability that two of them have the same birthday? Suppose there are n birthdays and that there are k people in the room. An k elementary event is a tuple (b1, …, bk) {1, 2, …, n} . k The birthday of the ith person is bi, 1 i k, so we have n elementary events. We assume that those elementary events are equally probable. Then the probability of an elementary events is 1/ nk. Let p be the probability that two people in the room have the same birthday. Then with probability q = 1 - p any two people have different birthdays. 20 Birthday Paradox k Let E be the set of all vectors (g1, …, gk) {1, 2, …, n} , whose entries are pairwise different. Then E models the Birthday paradox. Let |E| denote the number of element in E. Then k1 |E| = (n - 0) (n - 1) … (n -(k - 1)) = i 0 ( n i ) and q = (n - 0) (n - 1) … (n -(k - 1)) / nk 1 k1 k1 i = i 0 ( n i ) = i 1 ( 1 .) nk n Since 1 + x ex holds for all real numbers, therefore (e-x = 1-x+x2/2!-x3/3!+…) k1 k1 i /n i / n -k(k-1)/2n q i1 e = e i 1 = e . 21 Birthday Paradox Assume that q = 0.5, then we have q = 0.5 e-k(k-1)/2n ln (2-1) = ln e-k(k-1)/2n ln 2 = k(k-1)/2n k(k-1) = 2n ln 2 (ln 2 = 0.693) k2 - k - 2n ln 2 = 0 k = [1 + (1 + 8n ln 2)0.5)] / 2 If k (1 + (1 + 8n ln 2)0.5) / 2, then q 0.5. 22 Birthday Paradox We describe a simple attack on hash functions H: *n (hence the result consists of ||n possible strings) called the birthday attack. It attacks the strong collision resistance of H. The attack is based on the birthday paradox. Assume that is an alphabet. Then strings from * can be chosen such that the distribution on the corresponding hash values is the uniform distribution. If k strings in x * are chosen, where k (1 + (1 + 8 ||n ln 2)0.5) / 2, then the probability of two hash values being equal exceeds 0.5. 23 Birthday Paradox Assume = {0,1}, then k (1 + (1 + 8 ∙ 2n ∙ ln 2)0.5) / 2 is sufficient to find two strings having the same hash value with probability greater than 0.5. By the table below, if we compute a little more than 2n/2 hash values, then the birthday attack will succeed with probability > 0.5.
Load more

Recommended publications
  • The Order of Encryption and Authentication for Protecting Communications (Or: How Secure Is SSL?)?
    The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)? Hugo Krawczyk?? Abstract. We study the question of how to generically compose sym- metric encryption and authentication when building \secure channels" for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combina- tion of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryp- tion and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an en- cryption function that provides (Shannon's) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, ¯nding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH. On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe. 1 Introduction The most widespread application of cryptography in the Internet these days is for implementing a secure channel between two end points and then exchanging information over that channel.
    [Show full text]
  • Authenticated Key-Exchange: Protocols, Attacks, and Analyses
    The HMAC construction: A decade later Ran Canetti IBM Research What is HMAC? ● HMAC: A Message Authentication Code based on Cryptographic Hash functions [Bellare-C-Krawczyk96]. ● Developed for the IPSec standard of the Internet Engineering Task Force (IETF). ● Currently: - incorporated in IPSec, SSL/TLS, SSH, Kerberos, SHTTP, HTTPS, SRTP, MSEC, ... - ANSI and NIST standards - Used daily by all of us. Why is HMAC interesting? ● “Theoretical” security analysis impacts the security of real systems. ● Demonstrates the importance of modelling and abstraction in practical cryptography. ● The recent attacks on hash functions highlight the properties of the HMAC design and analysis. ● Use the HMAC lesson to propose requirements for the next cryptographic hash function. Organization ● Authentication, MACs, Hash-based MACs ● HMAC construction and analysis ● Other uses of HMAC: ● Pseudo-Random Functions ● Extractors ● What properties do we want from a “cryptographic hash function”? Authentication m m' A B The goal: Any tampering with messages should be detected. “If B accepts message m from A then A has sent m to B.” • One of the most basic cryptographic tasks • The basis for any security-conscious interaction over an open network Elements of authentication The structure of typical cryptographic solutions: • Initial entity authentication: The parties perform an initial exchange, bootstrapping from initial trusted information on each other. The result is a secret key that binds the parties to each other. • Message authentication: The parties use the key to authenticate exchanged messages via message authentication codes. Message Authentication Codes m,t m',t' A B t=FK(m) t' =? FK(m') • A and B obtain a common secret key K • A and B agree on a keyed function F • A sends t=FK(m) together with m • B gets (m',t') and accepts m' if t'=FK(m').
    [Show full text]
  • MD5 Collisions the Effect on Computer Forensics April 2006
    Paper MD5 Collisions The Effect on Computer Forensics April 2006 ACCESS DATA , ON YOUR RADAR MD5 Collisions: The Impact on Computer Forensics Hash functions are one of the basic building blocks of modern cryptography. They are used for everything from password verification to digital signatures. A hash function has three fundamental properties: • It must be able to easily convert digital information (i.e. a message) into a fixed length hash value. • It must be computationally impossible to derive any information about the input message from just the hash. • It must be computationally impossible to find two files to have the same hash. A collision is when you find two files to have the same hash. The research published by Wang, Feng, Lai and Yu demonstrated that MD5 fails this third requirement since they were able to generate two different messages that have the same hash. In computer forensics hash functions are important because they provide a means of identifying and classifying electronic evidence. Because hash functions play a critical role in evidence authentication, a judge and jury must be able trust the hash values to uniquely identify electronic evidence. A hash function is unreliable when you can find any two messages that have the same hash. Birthday Paradox The easiest method explaining a hash collision is through what is frequently referred to as the Birthday Paradox. How many people one the street would you have to ask before there is greater than 50% probability that one of those people will share your birthday (same day not the same year)? The answer is 183 (i.e.
    [Show full text]
  • Hello, and Welcome to This Presentation of the STM32 Hash Processor
    Hello, and welcome to this presentation of the STM32 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256- bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding. 3 All supported hash functions work on 512-bit blocks of data. The input message is split as many times as needed to feed the hash processor. Subsequent blocks are computed sequentially. MD5 is the less robust function with only a 128-bit digest. The SHA standard has two versions SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. 4 The hash-based message authentication code (HMAC) is used to authenticate messages and verify their integrity. The HMAC function consists of two nested Hash function with a secrete key that is shared by the sender and the receiver.
    [Show full text]
  • Network Security Chapter 8
    Network Security Chapter 8 Network security problems can be divided roughly into 4 closely intertwined areas: secrecy (confidentiality), authentication, nonrepudiation, and integrity control. Question: what does non-repudiation mean? What does “integrity” mean? • Cryptography • Symmetric-Key Algorithms • Public-Key Algorithms • Digital Signatures • Management of Public Keys • Communication Security • Authentication Protocols • Email Security -- skip • Web Security • Social Issues -- skip Revised: August 2011 CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security Security concerns a variety of threats and defenses across all layers Application Authentication, Authorization, and non-repudiation Transport End-to-end encryption Network Firewalls, IP Security Link Packets can be encrypted on data link layer basis Physical Wireless transmissions can be encrypted CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security (1) Some different adversaries and security threats • Different threats require different defenses CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cryptography Cryptography – 2 Greek words meaning “Secret Writing” Vocabulary: • Cipher – character-for-character or bit-by-bit transformation • Code – replaces one word with another word or symbol Cryptography is a fundamental building block for security mechanisms. • Introduction » • Substitution ciphers » • Transposition ciphers » • One-time pads
    [Show full text]
  • Modes of Operation for Compressed Sensing Based Encryption
    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
    [Show full text]
  • Message Authentication Codes
    MessageMessage AuthenticationAuthentication CodesCodes Was this message altered? Did he really send this? Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 12-1 OverviewOverview 1. Message Authentication 2. MACS based on Hash Functions: HMAC 3. MACs based on Block Ciphers: DAA and CMAC 4. Authenticated Encryption: CCM and GCM 5. Pseudorandom Number Generation Using Hash Functions and MACs These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-2 MessageMessage SecuritySecurity RequirementsRequirements Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation Message Authentication = Integrity + Source Authentication Washington University in St. Louis CSE571S ©2011 Raj Jain 12-3 PublicPublic--KeyKey AuthenticationAuthentication andand SecrecySecrecy A B’s Public A’s PrivateMessage B A Key Key B Double public key encryption provides authentication and integrity. Double public key Very compute intensive Crypto checksum (MAC) is better. Based on a secret key and the message. Can also encrypt with the same or different key. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-4 MACMAC PropertiesProperties A MAC is a cryptographic checksum MAC = CK(M) Condenses a variable-length message M using a secret key To a fixed-sized authenticator Is a many-to-one function Potentially many messages have same MAC But finding these needs to be very difficult Properties: 1.
    [Show full text]
  • Stronger Security Variants of GCM-SIV
    Stronger Security Variants of GCM-SIV Tetsu Iwata1 and Kazuhiko Minematsu2 1 Nagoya University, Nagoya, Japan, [email protected] 2 NEC Corporation, Kawasaki, Japan, [email protected] Abstract. At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity.
    [Show full text]
  • FIPS 198, the Keyed-Hash Message Authentication Code (HMAC)
    ARCHIVED PUBLICATION The attached publication, FIPS Publication 198 (dated March 6, 2002), was superseded on July 29, 2008 and is provided here only for historical purposes. For the most current revision of this publication, see: http://csrc.nist.gov/publications/PubsFIPS.html#198-1. FIPS PUB 198 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8900 Issued March 6, 2002 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Philip J. Bond, Under Secretary National Institute of Standards and Technology Arden L. Bement, Jr., Director Foreword The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Computer Security Act of 1987 (Public Law 100-235). These mandates have given the Secretary of Commerce and NIST important responsibilities for improving the utilization and management of computer and related telecommunications systems in the Federal government. The NIST, through its Information Technology Laboratory, provides leadership, technical guidance, and coordination of government efforts in the development of standards and guidelines in these areas. Comments concerning Federal Information Processing Standards Publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900. William Mehuron, Director Information Technology Laboratory Abstract This standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions.
    [Show full text]
  • Message Authentication Aspects of Message Authentication Message
    Message authentication Message (or document) is authentic if • It is genuine and Message authentication and came from its alleged source. hash functions • Message authentication is a procedure which verifies that received messages are authentic COMP 522 COMP 522 Aspects of message authentication Message authentication techniques We would like to ensure that • Using conventional message encryption: • The content of the message has not been if we assume that only sender and receiver share a secret changed; key then the fact that receiver can successfully decrypt the message means the message has been encrypted by the • The source of the message is authentic; sender • The message has not been delayed and replayed; • Without message encryption The message is not encrypted, but special authentication tag is generated and appended to the message. Generation of a tag is a much more efficient procedure that encryption of the message. COMP 522 COMP 522 1 Message Authentication Code Message authentication using MAC • Let A and B share a common secret key K • If A would like to send a message M to B, she calculates a message authentication code MAC of M using the key K : MAC = F(K,M) • Then A appends MAC to M and sends all this to B; • B applies the MAC algorithm to the received message and compares the result with the received MAC COMP 522 COMP 522 MAC algorithms One-way Hash functions • The process of MAC generation is similar to the • An alternative method for the message encryption; authentication is to use one-way hash functions • The difference is a MAC algorithm need not be instead of MAC; reversible Æ easier to implement and less • The main difference is hash functions don’t use a vulnerable to being broken; secret key: • Actually, standard encryption algorithms can be h = H(M); used for MAC generation: • “One-way” in the name refers to the property of • For example, a message may be encrypted with DES such functions: they are easy to compute, but their and then last 16 or 32 bits of the encrypted text may be reverse functions are very difficult to compute.
    [Show full text]
  • Reconsidering the Security Bound of AES-GCM-SIV
    Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata1 and Yannick Seurin2 1 Nagoya University, Japan [email protected] 2 ANSSI, Paris, France [email protected] Abstract. We make a number of remarks about the AES-GCM-SIV nonce-misuse resis- tant authenticated encryption scheme currently considered for standardization by the Crypto Forum Research Group (CFRG). First, we point out that the security analysis proposed in the ePrint report 2017/168 is incorrect, leading to overly optimistic security claims. We correct the bound and re-assess the security guarantees offered by the scheme for various parameters. Second, we suggest a simple modification to the key derivation function which would improve the security of the scheme with virtually no efficiency penalty. Keywords: authenticated encryption · AEAD · GCM-SIV · AES-GCM-SIV · CAESAR competition 1 Introduction Authenticated Encryption. An authenticated encryption scheme aims at providing both confidentiality and authenticity when communicating over an insecure channel. The recent CAESAR competition [CAE] has spawned a lot of candidate schemes as well as more theoretical works on the subject. One of the most widely deployed AEAD schemes today is GCM [MV04], which combines, in the “encrypt-then-MAC” fashion [BN00], a Wegman-Carter MAC [WC81, Sho96] based on a polynomial hash function called GHASH, and the counter encryption mode [BDJR97]. GCM is nonce-based [Rog04], i.e., for each encryption the sender must provide a non- repeating value N. Unfortunately, the security of GCM becomes very brittle in case the same nonce N is reused (something called nonce-misuse), in particular a simple attack allows to completely break authenticity [Jou06, BZD+16] (damages to confidentiality are to some extent less dramatic [ADL17]).
    [Show full text]
  • Generic Attacks Against Beyond-Birthday-Bound Macs
    Generic Attacks against Beyond-Birthday-Bound MACs Gaëtan Leurent1, Mridul Nandi2, and Ferdinand Sibleyras1 1 Inria, France {gaetan.leurent,ferdinand.sibleyras}@inria.fr 2 Indian Statistical Institute, Kolkata [email protected] Abstract. In this work, we study the security of several recent MAC constructions with provable security beyond the birthday bound. We con- sider block-cipher based constructions with a double-block internal state, such as SUM-ECBC, PMAC+, 3kf9, GCM-SIV2, and some variants (LightMAC+, 1kPMAC+). All these MACs have a security proof up to 22n/3 queries, but there are no known attacks with less than 2n queries. We describe a new cryptanalysis technique for double-block MACs based on finding quadruples of messages with four pairwise collisions in halves of the state. We show how to detect such quadruples in SUM-ECBC, PMAC+, 3kf9, GCM-SIV2 and their variants with O(23n/4) queries, and how to build a forgery attack with the same query complexity. The time com- plexity of these attacks is above 2n, but it shows that the schemes do not reach full security in the information theoretic model. Surprisingly, our attack on LightMAC+ also invalidates a recent security proof by Naito. Moreover, we give a variant of the attack against SUM-ECBC and GCM-SIV2 with time and data complexity O˜(26n/7). As far as we know, this is the first attack with complexity below 2n against a deterministic beyond- birthday-bound secure MAC. As a side result, we also give a birthday attack against 1kf9, a single-key variant of 3kf9 that was withdrawn due to issues with the proof.
    [Show full text]