mac ske in practice
play

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary - PowerPoint PPT Presentation

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them


  1. (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K (M) F K Output length of F K should be big enough

  2. (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K (M) F K Output length of F K should be big enough If an adversary forges MAC with probability ε MAC , then can break PRF with advantage O( ε MAC — 2 -m(k) ) (m(k) being the output length of the PRF) [How?]

  3. (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K (M) F K Output length of F K should be big enough If an adversary forges MAC with probability ε MAC , then can break PRF with advantage O( ε MAC — 2 -m(k) ) Advantage in (m(k) being the output length of the PRF) [How?] breaking a PRF F: diff in prob a test has of outputting 1, when given F vs. truly random R

  4. (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K (M) F K Output length of F K should be big enough If an adversary forges MAC with probability ε MAC , then can break PRF with advantage O( ε MAC — 2 -m(k) ) Advantage in (m(k) being the output length of the PRF) [How?] breaking a PRF F: diff in prob a test has of If random function R used as MAC, then outputting 1, when probability of forgery, ε MAC* = 2 -m(k) given F vs. truly random R

  5. MAC for Multiple-Block Messages

  6. MAC for Multiple-Block Messages What if message is longer than one block?

  7. MAC for Multiple-Block Messages What if message is longer than one block? MAC’ing each block separately is not secure (unlike in the case of CPA secure encryption)

  8. MAC for Multiple-Block Messages What if message is longer than one block? MAC’ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks

  9. MAC for Multiple-Block Messages What if message is longer than one block? MAC’ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks Could use a PRF that takes longer inputs

  10. MAC for Multiple-Block Messages What if message is longer than one block? MAC’ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks Could use a PRF that takes longer inputs Can we use a PRF with a fixed block-length (i.e., a block cipher)?

  11. MAC for Multiple-Block Messages

  12. MAC for Multiple-Block Messages A simple solution: “tie the blocks together”

  13. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number

  14. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i )

  15. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t )

  16. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t ) r prevents mixing blocks from two messages, t prevents dropping blocks and i prevents rearranging

  17. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t ) r prevents mixing blocks from two messages, t prevents dropping blocks and i prevents rearranging Inefficient! Tag length increases with message length

  18. CBC-MAC

  19. CBC-MAC PRF domain extension: Chaining the blocks

  20. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 ⊕ ⊕ ... F K F K F K T

  21. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K T

  22. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K t-block messages, a single block tag T

  23. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K t-block messages, a single block tag T Can be shown to be secure

  24. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K t-block messages, a single block tag T Can be shown to be secure If restricted to t-block messages (i.e., same length)

  25. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K t-block messages, a single block tag T Can be shown to be secure If restricted to t-block messages (i.e., same length) Else attacks possible (by extending a previously signed message)

  26. Patching CBC-MAC

  27. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is):

  28. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks

  29. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks

  30. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible

  31. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K’ (T), where K’ is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori.

  32. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K’ (T), where K’ is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks.

  33. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K’ (T), where K’ is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks. NIST Recommendation. 2005

  34. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K’ (T), where K’ is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks. NIST Recommendation. 2005 Later: Hash-based HMAC used in TLS and IPSec IETF Standard. 1997

  35. SKE in Practice

  36. Stream Ciphers

  37. Stream Ciphers Used for one-time encryption

  38. Stream Ciphers Used for one-time encryption RC4, eSTREAM portfolio, ...

  39. Stream Ciphers Used for one-time encryption RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs

  40. Stream Ciphers Also used to denote the random nonce chosen for Used for one-time encryption encryption using a block-cipher RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs

  41. Stream Ciphers Also used to denote the random nonce chosen for Used for one-time encryption encryption using a block-cipher RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption

  42. Stream Ciphers Also used to denote the random nonce chosen for Used for one-time encryption encryption using a block-cipher RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption But often breaks if used this way

  43. Stream Ciphers Also used to denote the random nonce chosen for Used for one-time encryption encryption using a block-cipher RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption But often breaks if used this way NIST Standard: For multi-message encryption, use a block- cipher in CTR mode

  44. Block Ciphers

  45. Block Ciphers DES, 3DES, Blowfish, AES, ...

  46. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions

  47. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions Permutations that can be inverted with the key

  48. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence

  49. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence But should withstand known attacks

  50. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence But should withstand known attacks As a PRP (or at least, against key recovery)

  51. Feistel Network

  52. Feistel Network Building a permutation from a (block) function

  53. Feistel Network Building a permutation from a (block) function Let f: {0,1} m → {0,1} m be an arbitrary function

Recommend


More recommend