Development of Authentication Codes of Messages on the Basis of Umac with Crypto-Code Mceliece’S Scheme
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure Is SSL?)?
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)? Hugo Krawczyk?? Abstract. We study the question of how to generically compose sym- metric encryption and authentication when building \secure channels" for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combina- tion of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryp- tion and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an en- cryption function that provides (Shannon's) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, ¯nding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH. On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe. 1 Introduction The most widespread application of cryptography in the Internet these days is for implementing a secure channel between two end points and then exchanging information over that channel. -
The Software Performance of Authenticated-Encryption Modes 1
An earlier version of this paper appears at Fast Software Encryption 2011 (FSE 2011). The Software Performance of Authenticated-Encryption Modes Ted Krovetz∗ Phillip Rogawayy March 21, 2011 Abstract We study the software performance of authenticated-encryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (\Clarkdale") processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counter-based nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of operation, CCM, GCM, OCB. 1 Introduction Background. Over the past few years, considerable effort has been spent constructing schemes for authenticated encryption (AE). One reason is recognition of the fact that a scheme that delivers both privacy and authenticity may be more efficient than the straightforward amalgamation of separate privacy and authenticity techniques. A second reason is the realization that an AE scheme is less likely to be incorrectly used than an encryption scheme designed for privacy alone. While other possibilities exist, it is natural to build AE schemes from blockciphers, employing some mode of operation. There are two approaches. In a composed (\two-pass") AE scheme one conjoins essentially separate privacy and authenticity modes. -
Authenticated Key-Exchange: Protocols, Attacks, and Analyses
The HMAC construction: A decade later Ran Canetti IBM Research What is HMAC? ● HMAC: A Message Authentication Code based on Cryptographic Hash functions [Bellare-C-Krawczyk96]. ● Developed for the IPSec standard of the Internet Engineering Task Force (IETF). ● Currently: - incorporated in IPSec, SSL/TLS, SSH, Kerberos, SHTTP, HTTPS, SRTP, MSEC, ... - ANSI and NIST standards - Used daily by all of us. Why is HMAC interesting? ● “Theoretical” security analysis impacts the security of real systems. ● Demonstrates the importance of modelling and abstraction in practical cryptography. ● The recent attacks on hash functions highlight the properties of the HMAC design and analysis. ● Use the HMAC lesson to propose requirements for the next cryptographic hash function. Organization ● Authentication, MACs, Hash-based MACs ● HMAC construction and analysis ● Other uses of HMAC: ● Pseudo-Random Functions ● Extractors ● What properties do we want from a “cryptographic hash function”? Authentication m m' A B The goal: Any tampering with messages should be detected. “If B accepts message m from A then A has sent m to B.” • One of the most basic cryptographic tasks • The basis for any security-conscious interaction over an open network Elements of authentication The structure of typical cryptographic solutions: • Initial entity authentication: The parties perform an initial exchange, bootstrapping from initial trusted information on each other. The result is a secret key that binds the parties to each other. • Message authentication: The parties use the key to authenticate exchanged messages via message authentication codes. Message Authentication Codes m,t m',t' A B t=FK(m) t' =? FK(m') • A and B obtain a common secret key K • A and B agree on a keyed function F • A sends t=FK(m) together with m • B gets (m',t') and accepts m' if t'=FK(m'). -
Hello, and Welcome to This Presentation of the STM32 Hash Processor
Hello, and welcome to this presentation of the STM32 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256- bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding. 3 All supported hash functions work on 512-bit blocks of data. The input message is split as many times as needed to feed the hash processor. Subsequent blocks are computed sequentially. MD5 is the less robust function with only a 128-bit digest. The SHA standard has two versions SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. 4 The hash-based message authentication code (HMAC) is used to authenticate messages and verify their integrity. The HMAC function consists of two nested Hash function with a secrete key that is shared by the sender and the receiver. -
Patent-Free Authenticated-Encryption As Fast As OCB
Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f. -
Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017
Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Kölbl June 20th, 2017 DTU Compute, Technical University of Denmark Introduction to Symmetric Key Cryptography Symmetric Key Cryptography What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange 1 Authentication Authentication Message Authentication Code (MAC) Key Message MAC Tag • Produces a tag • Provide both authenticity and integrity • It should be hard to forge a valid tag. • Similar to hash but has a key • Similar to digital signature but same key 2 Authentication MAC Algorithm • Block Cipher Based (CBC-MAC) • Hash-based (HMAC, Sponge) • Universal Hashing (UMAC, Poly1305) 3 Authentication CBC-MAC M1 M2 Mi 0 EK EK EK T 4 Authentication Hash-based: • H(k jj m) • Okay with Sponge, fails with MD construction. • H(m jj k) • Collision on H allows to construct Tag collision. • HMAC: H(k ⊕ c1kj H(k ⊕ c2jjm)) 5 Authentication Universal Hashing (UMAC, Poly1305, …) • We need a universal hash function family H. • Parties share a secret member of H and key k. • Attacker does not know which one was chosen. Definition A set H of hash functions h : U ! N is universal iff 8x; y 2 U: 1 Pr (h(x) = h(y)) ≤ h2H jNj when h is chosen uniformly at random. 6 Authenticated Encryption In practice we always want Authenticated Encryption • Encryption does not protect against malicious alterations. • WEP [TWP07] • Plaintext recovery OpenSSH [APW09] • Recover TLS cookies [DR11] Problem Lot of things can go wrong when combining encryption and authentication. Note: This can allow to recover plaintext, forge messages.. -
Message Authentication Codes
MessageMessage AuthenticationAuthentication CodesCodes Was this message altered? Did he really send this? Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 12-1 OverviewOverview 1. Message Authentication 2. MACS based on Hash Functions: HMAC 3. MACs based on Block Ciphers: DAA and CMAC 4. Authenticated Encryption: CCM and GCM 5. Pseudorandom Number Generation Using Hash Functions and MACs These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-2 MessageMessage SecuritySecurity RequirementsRequirements Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation Message Authentication = Integrity + Source Authentication Washington University in St. Louis CSE571S ©2011 Raj Jain 12-3 PublicPublic--KeyKey AuthenticationAuthentication andand SecrecySecrecy A B’s Public A’s PrivateMessage B A Key Key B Double public key encryption provides authentication and integrity. Double public key Very compute intensive Crypto checksum (MAC) is better. Based on a secret key and the message. Can also encrypt with the same or different key. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-4 MACMAC PropertiesProperties A MAC is a cryptographic checksum MAC = CK(M) Condenses a variable-length message M using a secret key To a fixed-sized authenticator Is a many-to-one function Potentially many messages have same MAC But finding these needs to be very difficult Properties: 1. -
Reducing the Impact of Dos Attacks on Endpoint IP Security
Reducing the Impact of DoS Attacks on Endpoint IP Security Joseph D. Touch and Yi-Hua Edward Yang USC/ISI [email protected] / [email protected] 1 Abstract some attack traffic. These results also indicate that this technique becomes more effective as the algorithm IP security is designed to protect hosts from attack, becomes more computationally intensive, and suggest but can itself provide a way to overwhelm the that such hierarchical intra-packet defenses are needed resources of a host. One such denial of service (DoS) to avoid IPsec being itself an opportunity for attack. attack involves sending incorrectly signed packets to a host, which then consumes substantial CPU resources 2. Background to reject unwanted traffic. This paper quantifies the impact of such attacks and explores preliminary ways Performance has been a significant issue for to reduce that impact. Measurements of the impact of Internet security since its inception and affects the DoS attack traffic on PC hosts indicate that a single IPsec suite both at the IKE (session establishment) and attacker can reduce throughput by 50%. This impact IPsec (packets in a session) level [10][11]. This paper can be reduced to 20% by layering low-effort nonce focuses on the IPsec level, i.e., protection for validation on IPsec’s CPU-intensive cryptographic established sessions. Previous performance analysis of algorithms, but the choice of algorithm does not have HMAC-MD5 (Hashed-MAC, where MAC means as large an effect. This work suggests that effective keyed Message Authentication Code), HMAC-SHA1, DoS resistance requires a hierarchical defense using and 3DES showed that the cost of the cryptographic both nonces and strong cryptography at the endpoints, algorithms dwarfs other IPsec overheads [6] [7] [15]. -
Stronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata1 and Kazuhiko Minematsu2 1 Nagoya University, Nagoya, Japan, [email protected] 2 NEC Corporation, Kawasaki, Japan, [email protected] Abstract. At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity. -
Implementation of Hash Function for Cryptography (Rsa Security)
International Journal For Technological Research In Engineering Volume 4, Issue 6, February-2017 ISSN (Online): 2347 - 4718 IMPLEMENTATION OF HASH FUNCTION FOR CRYPTOGRAPHY (RSA SECURITY) Syed Fateh Reza1, Mr. Prasun Das2 1M.Tech. (ECE), 2Assistant Professor (ECE), Bitm,Bolpur ABSTRACT: In this thesis, a new method for expected to have a unique hash code and it should be implementing cryptographic hash functions is proposed. generally difficult for an attacker to find two messages with This method seeks to improve the speed of the hash the same hash code. function particularly when a large set of messages with Mathematically, a hash function (H) is defined as follows: similar blocks such as documents with common Headers H: {0, 1}* → {0, 1}n are to be hashed. The method utilizes the peculiar run-time In this notation, {0, 1}* refers to the set of binary elements configurability Feature of FPGA. Essentially, when a block of any length including the empty string while {0, 1}n refers of message that is commonly hashed is identified, the hash to the set of binary elements of length n. Thus, the hash value is stored in memory so that in subsequent occurrences function maps a set of binary elements of arbitrary length to of The message block, the hash value does not need to be a set of binary elements of fixed length. Similarly, the recomputed; rather it is Simply retrieved from memory, thus properties of a hash function are defined as follows: giving a significant increase in speed. The System is self- x {0, 1}*; y {0,1}n learning and able to dynamically build on its knowledge of Pre-image resistance: given y= H(x), it should be difficult to frequently Occurring message blocks without intervention find x. -
FIPS 198, the Keyed-Hash Message Authentication Code (HMAC)
ARCHIVED PUBLICATION The attached publication, FIPS Publication 198 (dated March 6, 2002), was superseded on July 29, 2008 and is provided here only for historical purposes. For the most current revision of this publication, see: http://csrc.nist.gov/publications/PubsFIPS.html#198-1. FIPS PUB 198 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8900 Issued March 6, 2002 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Philip J. Bond, Under Secretary National Institute of Standards and Technology Arden L. Bement, Jr., Director Foreword The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Computer Security Act of 1987 (Public Law 100-235). These mandates have given the Secretary of Commerce and NIST important responsibilities for improving the utilization and management of computer and related telecommunications systems in the Federal government. The NIST, through its Information Technology Laboratory, provides leadership, technical guidance, and coordination of government efforts in the development of standards and guidelines in these areas. Comments concerning Federal Information Processing Standards Publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900. William Mehuron, Director Information Technology Laboratory Abstract This standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions. -
Message Authentication Aspects of Message Authentication Message
Message authentication Message (or document) is authentic if • It is genuine and Message authentication and came from its alleged source. hash functions • Message authentication is a procedure which verifies that received messages are authentic COMP 522 COMP 522 Aspects of message authentication Message authentication techniques We would like to ensure that • Using conventional message encryption: • The content of the message has not been if we assume that only sender and receiver share a secret changed; key then the fact that receiver can successfully decrypt the message means the message has been encrypted by the • The source of the message is authentic; sender • The message has not been delayed and replayed; • Without message encryption The message is not encrypted, but special authentication tag is generated and appended to the message. Generation of a tag is a much more efficient procedure that encryption of the message. COMP 522 COMP 522 1 Message Authentication Code Message authentication using MAC • Let A and B share a common secret key K • If A would like to send a message M to B, she calculates a message authentication code MAC of M using the key K : MAC = F(K,M) • Then A appends MAC to M and sends all this to B; • B applies the MAC algorithm to the received message and compares the result with the received MAC COMP 522 COMP 522 MAC algorithms One-way Hash functions • The process of MAC generation is similar to the • An alternative method for the message encryption; authentication is to use one-way hash functions • The difference is a MAC algorithm need not be instead of MAC; reversible Æ easier to implement and less • The main difference is hash functions don’t use a vulnerable to being broken; secret key: • Actually, standard encryption algorithms can be h = H(M); used for MAC generation: • “One-way” in the name refers to the property of • For example, a message may be encrypted with DES such functions: they are easy to compute, but their and then last 16 or 32 bits of the encrypted text may be reverse functions are very difficult to compute.