DOCSLIB.ORG

Analysis and Design of Message Authentication Codes Shahram Bakhtiari Bakhtiari Haft Lang University of Wollongong

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis and Design of Message Authentication Codes Shahram Bakhtiari Bakhtiari Haft Lang University of Wollongong University of Wollongong Research Online University of Wollongong Thesis Collection University of Wollongong Thesis Collections 1998 Analysis and design of message authentication codes Shahram Bakhtiari Bakhtiari Haft Lang University of Wollongong Recommended Citation Bakhtiari Haft Lang, Shahram Bakhtiari, Analysis and design of message authentication codes, Doctor of Philosophy thesis, School of Information Technology and Computer Science, University of Wollongong, 1998. http://ro.uow.edu.au/theses/2003 Research Online is the open access institutional repository for the University of Wollongong. For further information contact the UOW Library: [email protected] T TNIVERSITY \\ 70LLONGONG Analysis and Design 01 Message Autnentication Codes A thesis submitted in fulfillment of the requirements for the award of the degree Doctor of Philosophy from UNIVERSITY OF WOLLONGONG by Shahram Bakhtiari Haft Lang, MSc School of Information Technology and Computer Science February 1998 © Copyright 1998 by Shahram Bakhtiari Haft Lang, MSc All Rights Reserved ii Dedicated to my wife iii Declaration This is to certify that the work reported in this thesis was done by the author, unless specified otherwise, and that no part of it has been submitted in a thesis to any other university or similar institution. Shahram Bakhtiari Haft Lang, MSc February 1998 iv Abstract Analysis and Design of Message Authentication Codes Shahram Bakhtiari Haft Lang School of Information Technology and Computer Science University of Wollongong Message Authentication Codes (MACs) play an important role in today's infor­ mation communication. Messages which are sent over an insecure channel need to be authenticated to prevent attacks such as message forgery by an intruder who can tamper with the channel. To provide message authenticity, assuming that the transmitter and the receiver share a secret key, a MAC can be used. In a MAC system, the transmitter generates a tag which is a function of the message and the secret key, and appends it to the message before sending it over the channel. The receiver can verify the authenticity of a received message, on the other end of the channel, by recomputing the tag and comparing it with the appended one. In analysis and design of MACs two different approaches, known as unconditional security and computational security, can be used. The aim of this thesis is to study the existing MAC systems and propose new constructions which are more efficient and meanwhile maintain the required security. We justify the security of our proposed constructions using computational security and unconditional security approaches. We also propose a new definition for keyed hash functions and relate them to MACs. Finally, we cryptanalyze two proposed collisionful hash functions. v Thesis Related Publications 1. Shahram Bakhtiari, Reihaneh Safavi-Naini, and Josef Pieprzyk, "Practical and Secure Message Authentication," in Series of Annual Workshop on Selected Areas in Cryptography (SAC '95), pages 55-68, School of Computer Science, Carlton University, May 1995. 2. Shahram Bakhtiari, Reihaneh Safavi-Naini, and Josef Pieprzyk, "Cryptographic Hash Functions: A Survey," Technical Report 95-09, Department of Computer Science, University of Wollongong, July 1995. 3. Shahram Bakhtiari, Reihaneh Safavi-Naini, and Josef Pieprzyk, "Keyed Hash Functions," in Cryptography: Policy and Algorithms Conference, volume 1029 of Lecture Notes in Computer Science (LNCS), pages 201-214, Springer-Verlag, July 1995. 4. Shahram Bakhtiari, Reihaneh Safavi-Naini, and Josef Pieprzyk, "On Selectable Collisionful Hash Functions," in Australian Conference on Information Secu­ rity and Privacy (ACISP '96), volume 1172 of Lecture Notes in Computer Science (LNCS), pages 287-298, Springer-Verlag, June 1996. 5. Shahram Bakhtiari, Reihaneh Safavi-Naini, and Josef Pieprzyk, "Password- Based Authenticated Key Exchange using Collisionful Hash Functions," in Australian Conference on Information Security and Privacy (ACISP '96), volume 1172 of Lecture Notes in Computer Science (LNCS), pages 299-310, Springer-Verlag, June 1996. 6. Shahram Bakhtiari, Reihaneh Safavi-Naini, and Josef Pieprzyk, "On the Weak­ nesses of Gong's Collisionful Hash Function," Journal of Universal Computer Science, volume 3, pages 185-196, March 1997. vi 7. Shahram Bakhtiari, Reihaneh Safavi-Naini, and Josef Pieprzyk, "A Message Authentication Code based on Latin Squares," in Australian Conference on Information Security and Privacy (ACISP '97), volume 1270 of Lecture Notes in Computer Science (LNCS), pages 194-203, Springer-Verlag, July 1997. 8. Reihaneh Safavi-Naini and Shahram Bakhtiari, "MRD Hashing and its appli­ cation to Shared Generation of MAC," Technical Report 97-02, Department of Computer Science, University of Wollongong, August 1997. vii Acknowledgement There are many people and organisations who deserve to be acknowledged in this thesis. I would like to first thank my supervisor, Associate Professor Reihaneh Safavi-Naini, for her support and interest in this thesis. I also thank my co- supervisor, Associate Professor Josef Pieprzyk, who assisted me in parallel with my supervisor. The main source of the financial support for this work was the Ministry of Culture and Higher Education (MCHE), Iran, which deserves to be acknowledged here. I wish to thank all the staff in the Centre for Computer Security Research and the school of IT and CS, for their help and assistance. Finally, I thank my wife and dedicate this thesis to her, for bearing all the difficulties during my PhD program and also encouraging me all the time to reach to this point. viii Contents Abstract v Thesis Related Publications V1 Acknowledgement V111 1 Introduction 1 1.1 Aims and Objectives 1 1.2 Structure of Thesis and its Contributions 2 1.3 Notations and Abbreviations 4 2 A Survey on Message Authentication Codes 6 2.1 Introduction 6 2.1.1 Security Approaches 7 2.2 Cryptographic Hash Functions 10 2.3 Keyed Hash Functions 12 2.3.1 Keyed Hash Functions as Primitives 15 2.4 Collisionful Hash Functions 17 2.5 Hash Function Families and Unconditionally Secure MACs 18 2.6 Methods of Attack on MACs 22 2.7 MAC Constructions 26 2.7.1 Construction from Existing Hash Functions 27 2.7.2 Construction from Block Ciphers 29 2.7.3 Construction from Scratch 30 2.8 Summary 30 3 Design of Practical MACs 32 3.1 Introduction 32 IX 3.2 Construction of Keyed Hash Functions 33 3.2.1 Tsudik's Proposed Methods 34 3.2.2 The Improved Method (Using Small Key) 36 3.2.3 Security Analysis of the Proposed Method 38 3.3 A New Construction for a Fast and Secure MAC 40 3.3.1 Description of the Algorithm 41 3.3.2 Properties of the Designed MAC 45 3.3.3 Implementation of the Proposed MAC 46 3.3.4 Security Analysis of the MAC 46 3.4 Summary 47 Design of Unconditionally Secure MACs 49 4.1 Introduction 49 4.2 Previously Proposed Wegman-Carter based MAC Constructions ... 50 4.3 A MAC Construction based on Latin Squares 53 4.3.1 Background on Latin Squares 53 4.3.2 Towards Constructing an e-AU2 Family 54 4.3.3 An Example 59 4.3.4 Defining a New MAC 61 4.3.5 Implementation 61 4.4 Construction of a MAC based on MRD Codes 64 4.4.1 Background on MRD Codes and Finite Fields 64 4.4.2 Constructing an e-AU2 Family based on MRD Codes 69 4.4.3 Defining a New MAC 71 4.5 Summary 72 On the Security of Collisionful Hash Functions 74 5.1 Introduction 74 5.2 Gong's Selectable Collisionful Hash Function 75 5.2.1 Description of Gong's Method 75 5.2.2 Attacking Gong's Method 77 5.2.3 Practical Results of the Attack 82 5.2.4 Securing the Method 83 5.3 Anderson and Lomas' Password-Based Authenticated Key Exchange . 86 5.3.1 Difne-Hellman Key Exchange 87 x I 5.3.2 Anderson and Lomas' Scheme 87 5.3.3 Attacking Anderson and Lomas' Scheme 89 5.3.4 Probability of Success 90 5.3.5 Optimal Choice of m 92 5.3.6 Alternative Solutions for Password-Based Authenticated Key Exchange 94 5.4 Summary 98 6 Conclusion and Further Work 100 6.1 Summary of Issues and Results 100 6.2 Fulfilment of Aims and Objectives 101 6.3 Further Work and Open Problems 102 Bibliography 104 A Source Code for KHF 117 A.l KHF.C 117 A.2 KHF.H1 124 A.3 KHF.H2 127 B Source Code for our Latin Square Based MAC 130 B.l LS-MAC.CPP 132 B.2 LS.CPP 134 B.3 LS.H 135 C Experimental Results for the Latin Square based MAC 137 D Some Improvements in the Designed MAC 144 xi List of Tables 1.1 Notations 5 1.2 Abbreviations 5 3.1 Speed comparison between the proposed MAC and MD5 46 4.1 The 64 steps of the LS hashing example 62 4.2 Conjugate groups with minimal and linearised minimal polynomials . 71 4.3 Parameters for the designed MAC based on MRD codes when n < 19 72 5.1 Implementation results of the attack on Gong's basic scheme 83 5.2 Implementation results of the attack on Gong's extended scheme ... 83 5.3 Implementation results of the attack on Anderson and Lomas' protocol 90 5.4 Expected values ex to e^ for three steps of the attack 93 5.5 Results of three steps of the attack on the extended protocol 94 5.6 Expected values for three steps of the attack on the extended protocol 96 C.l Isotopy classes of Latin squares 138 C.2 Experimental results for finding the mapping collisions 141 xii 1 List of Figures 2.1 The efficiency comparison between SKHFs and KHFs 15 2.2 Hash-then-encrypt MAC construction 28 2.3 Construction of a MAC using a cryptographic hash function 29 3.1 Keying a hash function from two input parts 38 3.2 Message padding in the proposed MAC 42 3.3 One round of the proposed MAC 43 5.1 Proposed collisionful hash function by Anderson and Lomas 91 5.2 Comparing probabilities of the three levels of the attack 95 D.l One round of the proposed MAC (new version) 145 xiii Chapter 1 Introduction Cryptographic mechanisms for verifying the integrity and authenticity of information are necessary in today's rapidly proliferating distributed information systems.
Load more

Recommended publications
  • The Order of Encryption and Authentication for Protecting Communications (Or: How Secure Is SSL?)?
    The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)? Hugo Krawczyk?? Abstract. We study the question of how to generically compose sym- metric encryption and authentication when building \secure channels" for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combina- tion of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryp- tion and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an en- cryption function that provides (Shannon's) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, ¯nding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH. On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe. 1 Introduction The most widespread application of cryptography in the Internet these days is for implementing a secure channel between two end points and then exchanging information over that channel.
    [Show full text]
  • Authenticated Key-Exchange: Protocols, Attacks, and Analyses
    The HMAC construction: A decade later Ran Canetti IBM Research What is HMAC? ● HMAC: A Message Authentication Code based on Cryptographic Hash functions [Bellare-C-Krawczyk96]. ● Developed for the IPSec standard of the Internet Engineering Task Force (IETF). ● Currently: - incorporated in IPSec, SSL/TLS, SSH, Kerberos, SHTTP, HTTPS, SRTP, MSEC, ... - ANSI and NIST standards - Used daily by all of us. Why is HMAC interesting? ● “Theoretical” security analysis impacts the security of real systems. ● Demonstrates the importance of modelling and abstraction in practical cryptography. ● The recent attacks on hash functions highlight the properties of the HMAC design and analysis. ● Use the HMAC lesson to propose requirements for the next cryptographic hash function. Organization ● Authentication, MACs, Hash-based MACs ● HMAC construction and analysis ● Other uses of HMAC: ● Pseudo-Random Functions ● Extractors ● What properties do we want from a “cryptographic hash function”? Authentication m m' A B The goal: Any tampering with messages should be detected. “If B accepts message m from A then A has sent m to B.” • One of the most basic cryptographic tasks • The basis for any security-conscious interaction over an open network Elements of authentication The structure of typical cryptographic solutions: • Initial entity authentication: The parties perform an initial exchange, bootstrapping from initial trusted information on each other. The result is a secret key that binds the parties to each other. • Message authentication: The parties use the key to authenticate exchanged messages via message authentication codes. Message Authentication Codes m,t m',t' A B t=FK(m) t' =? FK(m') • A and B obtain a common secret key K • A and B agree on a keyed function F • A sends t=FK(m) together with m • B gets (m',t') and accepts m' if t'=FK(m').
    [Show full text]
  • Introduction to Public Key Cryptography and Clock Arithmetic Lecture Notes for Access 2010, by Erin Chamberlain and Nick Korevaar
    1 Introduction to Public Key Cryptography and Clock Arithmetic Lecture notes for Access 2010, by Erin Chamberlain and Nick Korevaar We’ve discussed Caesar Shifts and other mono-alphabetic substitution ciphers, and we’ve seen how easy it can be to break these ciphers by using frequency analysis. If Mary Queen of Scots had known this, perhaps she would not have been executed. It was a long time from Mary Queen of Scots and substitution ciphers until the end of the 1900’s. Cryptography underwent the evolutionary and revolutionary changes which Si- mon Singh chronicles in The Code Book. If you are so inclined and have appropriate leisure time, you might enjoy reading Chapters 2-5, to learn some of these historical cryptography highlights: People came up with more complicated substitution ciphers, for example the Vigen`ere square. This Great Cipher of France baffled people for quite a while but a de- termined cryptographer Etienne Bazeries had a Eureka moment after three years of work, cracked the code, and possibly found the true identity of the Man in the Iron Mask, one of the great mysteries of the seventeeth century. Edgar Allan Poe and Sir Arthur Conan Doyle even dabbled in cryptanalysis. Secrecy was still a problem though because the key needed to be sent, and with the key anyone could encrypt and decrypt the messages. Frequency analysis was used to break all of these codes. In 1918 Scherbius invented his Enigma machine, but Alan Turing’s machine (the first computer?) helped in figuring out that supposedly unbreakable code, and hastened the end of the second World War.
    [Show full text]
  • The Mathemathics of Secrets.Pdf
    THE MATHEMATICS OF SECRETS THE MATHEMATICS OF SECRETS CRYPTOGRAPHY FROM CAESAR CIPHERS TO DIGITAL ENCRYPTION JOSHUA HOLDEN PRINCETON UNIVERSITY PRESS PRINCETON AND OXFORD Copyright c 2017 by Princeton University Press Published by Princeton University Press, 41 William Street, Princeton, New Jersey 08540 In the United Kingdom: Princeton University Press, 6 Oxford Street, Woodstock, Oxfordshire OX20 1TR press.princeton.edu Jacket image courtesy of Shutterstock; design by Lorraine Betz Doneker All Rights Reserved Library of Congress Cataloging-in-Publication Data Names: Holden, Joshua, 1970– author. Title: The mathematics of secrets : cryptography from Caesar ciphers to digital encryption / Joshua Holden. Description: Princeton : Princeton University Press, [2017] | Includes bibliographical references and index. Identifiers: LCCN 2016014840 | ISBN 9780691141756 (hardcover : alk. paper) Subjects: LCSH: Cryptography—Mathematics. | Ciphers. | Computer security. Classification: LCC Z103 .H664 2017 | DDC 005.8/2—dc23 LC record available at https://lccn.loc.gov/2016014840 British Library Cataloging-in-Publication Data is available This book has been composed in Linux Libertine Printed on acid-free paper. ∞ Printed in the United States of America 13579108642 To Lana and Richard for their love and support CONTENTS Preface xi Acknowledgments xiii Introduction to Ciphers and Substitution 1 1.1 Alice and Bob and Carl and Julius: Terminology and Caesar Cipher 1 1.2 The Key to the Matter: Generalizing the Caesar Cipher 4 1.3 Multiplicative Ciphers 6
    [Show full text]
  • Hello, and Welcome to This Presentation of the STM32 Hash Processor
    Hello, and welcome to this presentation of the STM32 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256- bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding. 3 All supported hash functions work on 512-bit blocks of data. The input message is split as many times as needed to feed the hash processor. Subsequent blocks are computed sequentially. MD5 is the less robust function with only a 128-bit digest. The SHA standard has two versions SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. 4 The hash-based message authentication code (HMAC) is used to authenticate messages and verify their integrity. The HMAC function consists of two nested Hash function with a secrete key that is shared by the sender and the receiver.
    [Show full text]
  • Message Authentication Codes
    MessageMessage AuthenticationAuthentication CodesCodes Was this message altered? Did he really send this? Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 12-1 OverviewOverview 1. Message Authentication 2. MACS based on Hash Functions: HMAC 3. MACs based on Block Ciphers: DAA and CMAC 4. Authenticated Encryption: CCM and GCM 5. Pseudorandom Number Generation Using Hash Functions and MACs These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-2 MessageMessage SecuritySecurity RequirementsRequirements Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation Message Authentication = Integrity + Source Authentication Washington University in St. Louis CSE571S ©2011 Raj Jain 12-3 PublicPublic--KeyKey AuthenticationAuthentication andand SecrecySecrecy A B’s Public A’s PrivateMessage B A Key Key B Double public key encryption provides authentication and integrity. Double public key Very compute intensive Crypto checksum (MAC) is better. Based on a secret key and the message. Can also encrypt with the same or different key. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-4 MACMAC PropertiesProperties A MAC is a cryptographic checksum MAC = CK(M) Condenses a variable-length message M using a secret key To a fixed-sized authenticator Is a many-to-one function Potentially many messages have same MAC But finding these needs to be very difficult Properties: 1.
    [Show full text]
  • The Enigma History and Mathematics
    The Enigma History and Mathematics by Stephanie Faint A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master of Mathematics m Pure Mathematics Waterloo, Ontario, Canada, 1999 @Stephanie Faint 1999 I hereby declare that I am the sole author of this thesis. I authorize the University of Waterloo to lend this thesis to other institutions or individuals for the purpose of scholarly research. I further authorize the University of Waterloo to reproduce this thesis by pho­ tocopying or by other means, in total or in part, at the request of other institutions or individuals for the purpose of scholarly research. 11 The University of Waterloo requires the signatures of all persons using or pho­ tocopying this thesis. Please sign below, and give address and date. ill Abstract In this thesis we look at 'the solution to the German code machine, the Enigma machine. This solution was originally found by Polish cryptologists. We look at the solution from a historical perspective, but most importantly, from a mathematical point of view. Although there are no complete records of the Polish solution, we try to reconstruct what was done, sometimes filling in blanks, and sometimes finding a more mathematical way than was originally found. We also look at whether the solution would have been possible without the help of information obtained from a German spy. IV Acknowledgements I would like to thank all of the people who helped me write this thesis, and who encouraged me to keep going with it. In particular, I would like to thank my friends and fellow grad students for their support, especially Nico Spronk and Philippe Larocque for their help with latex.
    [Show full text]
  • Encryption Is Futile: Delay Attacks on High-Precision Clock Synchronization 1
    R. ANNESSI, J. FABINI, F.IGLESIAS, AND T. ZSEBY: ENCRYPTION IS FUTILE: DELAY ATTACKS ON HIGH-PRECISION CLOCK SYNCHRONIZATION 1 Encryption is Futile: Delay Attacks on High-Precision Clock Synchronization Robert Annessi, Joachim Fabini, Felix Iglesias, and Tanja Zseby Institute of Telecommunications TU Wien, Austria Email: fi[email protected] Abstract—Clock synchronization has become essential to mod- endanger control decisions, and adversely affect the overall ern societies since many critical infrastructures depend on a functionality of a wide range of (critical) services that depend precise notion of time. This paper analyzes security aspects on accurate time. of high-precision clock synchronization protocols, particularly their alleged protection against delay attacks when clock syn- In recent years, security of clock synchronization received chronization traffic is encrypted using standard network security increased attention as various attacks on clock synchronization protocols such as IPsec, MACsec, or TLS. We use the Precision protocols (and countermeasures) were proposed. For this Time Protocol (PTP), the most widely used protocol for high- reason, clock synchronization protocols need to be secured precision clock synchronization, to demonstrate that statistical whenever used outside of fully trusted network environments. traffic analysis can identify properties that support selective message delay attacks even for encrypted traffic. We furthermore Clock synchronization protocols are specifically susceptible to identify a fundamental conflict in secure clock synchronization delay attacks since the times when messages are sent and between the need of deterministic traffic to improve precision and received have an actual effect on the receiver’s notion of the need to obfuscate traffic in order to mitigate delay attacks.
    [Show full text]
  • Stronger Security Variants of GCM-SIV
    Stronger Security Variants of GCM-SIV Tetsu Iwata1 and Kazuhiko Minematsu2 1 Nagoya University, Nagoya, Japan, [email protected] 2 NEC Corporation, Kawasaki, Japan, [email protected] Abstract. At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity.
    [Show full text]
  • FIPS 198, the Keyed-Hash Message Authentication Code (HMAC)
    ARCHIVED PUBLICATION The attached publication, FIPS Publication 198 (dated March 6, 2002), was superseded on July 29, 2008 and is provided here only for historical purposes. For the most current revision of this publication, see: http://csrc.nist.gov/publications/PubsFIPS.html#198-1. FIPS PUB 198 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8900 Issued March 6, 2002 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Philip J. Bond, Under Secretary National Institute of Standards and Technology Arden L. Bement, Jr., Director Foreword The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Computer Security Act of 1987 (Public Law 100-235). These mandates have given the Secretary of Commerce and NIST important responsibilities for improving the utilization and management of computer and related telecommunications systems in the Federal government. The NIST, through its Information Technology Laboratory, provides leadership, technical guidance, and coordination of government efforts in the development of standards and guidelines in these areas. Comments concerning Federal Information Processing Standards Publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900. William Mehuron, Director Information Technology Laboratory Abstract This standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions.
    [Show full text]
  • Message Authentication Aspects of Message Authentication Message
    Message authentication Message (or document) is authentic if • It is genuine and Message authentication and came from its alleged source. hash functions • Message authentication is a procedure which verifies that received messages are authentic COMP 522 COMP 522 Aspects of message authentication Message authentication techniques We would like to ensure that • Using conventional message encryption: • The content of the message has not been if we assume that only sender and receiver share a secret changed; key then the fact that receiver can successfully decrypt the message means the message has been encrypted by the • The source of the message is authentic; sender • The message has not been delayed and replayed; • Without message encryption The message is not encrypted, but special authentication tag is generated and appended to the message. Generation of a tag is a much more efficient procedure that encryption of the message. COMP 522 COMP 522 1 Message Authentication Code Message authentication using MAC • Let A and B share a common secret key K • If A would like to send a message M to B, she calculates a message authentication code MAC of M using the key K : MAC = F(K,M) • Then A appends MAC to M and sends all this to B; • B applies the MAC algorithm to the received message and compares the result with the received MAC COMP 522 COMP 522 MAC algorithms One-way Hash functions • The process of MAC generation is similar to the • An alternative method for the message encryption; authentication is to use one-way hash functions • The difference is a MAC algorithm need not be instead of MAC; reversible Æ easier to implement and less • The main difference is hash functions don’t use a vulnerable to being broken; secret key: • Actually, standard encryption algorithms can be h = H(M); used for MAC generation: • “One-way” in the name refers to the property of • For example, a message may be encrypted with DES such functions: they are easy to compute, but their and then last 16 or 32 bits of the encrypted text may be reverse functions are very difficult to compute.
    [Show full text]
  • Reconsidering the Security Bound of AES-GCM-SIV
    Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata1 and Yannick Seurin2 1 Nagoya University, Japan [email protected] 2 ANSSI, Paris, France [email protected] Abstract. We make a number of remarks about the AES-GCM-SIV nonce-misuse resis- tant authenticated encryption scheme currently considered for standardization by the Crypto Forum Research Group (CFRG). First, we point out that the security analysis proposed in the ePrint report 2017/168 is incorrect, leading to overly optimistic security claims. We correct the bound and re-assess the security guarantees offered by the scheme for various parameters. Second, we suggest a simple modification to the key derivation function which would improve the security of the scheme with virtually no efficiency penalty. Keywords: authenticated encryption · AEAD · GCM-SIV · AES-GCM-SIV · CAESAR competition 1 Introduction Authenticated Encryption. An authenticated encryption scheme aims at providing both confidentiality and authenticity when communicating over an insecure channel. The recent CAESAR competition [CAE] has spawned a lot of candidate schemes as well as more theoretical works on the subject. One of the most widely deployed AEAD schemes today is GCM [MV04], which combines, in the “encrypt-then-MAC” fashion [BN00], a Wegman-Carter MAC [WC81, Sho96] based on a polynomial hash function called GHASH, and the counter encryption mode [BDJR97]. GCM is nonce-based [Rog04], i.e., for each encryption the sender must provide a non- repeating value N. Unfortunately, the security of GCM becomes very brittle in case the same nonce N is reused (something called nonce-misuse), in particular a simple attack allows to completely break authenticity [Jou06, BZD+16] (damages to confidentiality are to some extent less dramatic [ADL17]).
    [Show full text]