message authentication and cryptographic hashing
play

Message authentication and cryptographic hashing 2MMC10 Cryptology - PowerPoint PPT Presentation

Oct 31, 2023 •42 likes •262 views

Message authentication and cryptographic hashing 2MMC10 Cryptology Andreas H ulsing September 20, 2018 A. H ulsing 2MMC10 Cryptology 1 / 12 Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt,

  1. Message authentication and cryptographic hashing 2MMC10 Cryptology Andreas H¨ ulsing September 20, 2018 A. H¨ ulsing 2MMC10 Cryptology 1 / 12

  2. Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC , PRF-ENC , ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. A. H¨ ulsing 2MMC10 Cryptology 2 / 12

  3. Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC , PRF-ENC , ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. A. H¨ ulsing 2MMC10 Cryptology 2 / 12

  4. Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC , PRF-ENC , ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. A. H¨ ulsing 2MMC10 Cryptology 2 / 12

  5. Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC , PRF-ENC , ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. A. H¨ ulsing 2MMC10 Cryptology 2 / 12

  6. Message authentication codes (MAC) Definition (message authentication code) A message authentication code or MAC is a tuple of probabilistic polynomial-time algorithms MAC = ( Gen , Mac , Vrfy ) over a message space M , fulfilling the following: 1 Upon input 1 n , the algorithm Gen outputs a key k . The set of possible outputs of Gen is called the key space K . 2 The algorithm Mac receives as input a key k ∈ K and a message m ∈ M , and outputs a tag t ∈ T . The set of possible outputs of Mac is called tag space T . 3 The algorithm Vrfy receives as input a key k ∈ K , message m ∈ M , and tag t ∈ T , and outputs a bit b ∈ { 0 , 1 } . 4 Correctness: For every n , every k ← − Gen (1 n ), and every m ∈ M it holds that Vrfy k ( m , Mac k ( m )) = 1 . A. H¨ ulsing 2MMC10 Cryptology 3 / 12

  7. Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) -Experiment Experiment ( Exp EU − CMA ( n )) A , MAC 1 k ← Gen (1 n ) 2 ( m , t ) ← A Mac k ( · ) (1 n ) . Let { m i } q 1 denote A ’s queries to Mac k 3 if ( Vrfy k ( m , t ) := 1 , and m �∈ { m i } q 1 ) return 1 4 else return 0. A. H¨ ulsing 2MMC10 Cryptology 4 / 12

  8. Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) -Definition Definition (EU-CMA) A message authentication code MAC = ( Gen , Mac , Vrfy ) over a message space M is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all probabilistic polynomial-time adversaries A , there exists a negligible function negl such that: � � Exp EU − CMA Pr ( n ) = 1 ≤ negl ( n ) A , MAC A. H¨ ulsing 2MMC10 Cryptology 5 / 12

  9. Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) -Definition Definition (EU-CMA) A message authentication code MAC = ( Gen , Mac , Vrfy ) over a message space M is ( t , ε ) existentially unforgeable under an adaptive chosen-message attack, if for all t -time adversaries A � � Exp EU − CMA Pr ( n ) = 1 ≤ ε A , MAC A. H¨ ulsing 2MMC10 Cryptology 6 / 12

  10. Remarks There exists a constant time attack with success probability 1 / |T | against every MAC ⇒ Tags must not be too short MAC’s do not prevent replay attacks! Replay attacks have to be handled on protocol level (e.g., using sequence numbers). A. H¨ ulsing 2MMC10 Cryptology 7 / 12

  11. Remarks There exists a constant time attack with success probability 1 / |T | against every MAC ⇒ Tags must not be too short MAC’s do not prevent replay attacks! Replay attacks have to be handled on protocol level (e.g., using sequence numbers). A. H¨ ulsing 2MMC10 Cryptology 7 / 12

  12. PRF = MAC Theorem A ( t , ε ) -secure PRF F leads a ( t , ε ) -secure MAC with Gen (1 n ) returns k ← R { 0 , 1 } n . Mac k ( m ) returns t := F k ( m ) . Vrfy k ( m , t ) returns 1 if t = F k ( m ) , and 0 otherwise. Proof see board. A. H¨ ulsing 2MMC10 Cryptology 8 / 12

  13. CBC-MAC Construction Let F be an efficient, length-preserving keyed function over { 0 , 1 } n . CBC-MAC has message space M = ( { 0 , 1 } ℓ n ) . The algorithms are as follows: Gen (1 n ) returns k ← R { 0 , 1 } n . Mac k ( m ) upon input key k ∈ { 0 , 1 } n and a message m of length ℓ n, do the following: 1 Denote m = m 1 , . . . , m ℓ where each m i is of length n, and set t 0 = 0 n . 2 For i = 1 to ℓ , set t i ← F k ( t i − 1 ⊕ m i ) . 3 Output t ℓ . Vrfy k ( m , t ) returns 1 if t = Mac k ( m ) , and 0 otherwise. A. H¨ ulsing 2MMC10 Cryptology 9 / 12

  14. Variable message length CBC-MAC CBC-MAC is not secure for variable length messages Solutions for variable ℓ : Derived key: Compute k ′ = F k ( ℓ ) and use k ′ to compute t = Mac k ′ ( m ) Prepend length: Compute t = Mac k ( ℓ � m ). Encrypted tag: Use two keys k 1 , k 2 ∈ { 0 , 1 } n , compute t ′ = Mac k 1 ( m ) and output t = F k 2 ( t ′ ). We can generate k 1 , k 2 from a single key using F as a length-doubling PRG ( < k 1 , k 2 > = < F k (0) , F k (1) > ) A. H¨ ulsing 2MMC10 Cryptology 10 / 12

  15. Variable message length CBC-MAC CBC-MAC is not secure for variable length messages Solutions for variable ℓ : Derived key: Compute k ′ = F k ( ℓ ) and use k ′ to compute t = Mac k ′ ( m ) Prepend length: Compute t = Mac k ( ℓ � m ). Encrypted tag: Use two keys k 1 , k 2 ∈ { 0 , 1 } n , compute t ′ = Mac k 1 ( m ) and output t = F k 2 ( t ′ ). We can generate k 1 , k 2 from a single key using F as a length-doubling PRG ( < k 1 , k 2 > = < F k (0) , F k (1) > ) A. H¨ ulsing 2MMC10 Cryptology 10 / 12

  16. Padding What if the message length is not a multiple of the block length: | m | � = x · n ? Solution: Padding Expand message to match multiple of block length. Usually injective function Pad : { 0 , 1 } ∗ → ( { 0 , 1 } n ) ∗ . E.g., m → m � 10 ∗ . Properties depend on cryptographic application: Encryption - invertible MAC - injective Often used for additional purposes: Randomization, or encoding message length. A. H¨ ulsing 2MMC10 Cryptology 11 / 12

  17. Padding What if the message length is not a multiple of the block length: | m | � = x · n ? Solution: Padding Expand message to match multiple of block length. Usually injective function Pad : { 0 , 1 } ∗ → ( { 0 , 1 } n ) ∗ . E.g., m → m � 10 ∗ . Properties depend on cryptographic application: Encryption - invertible MAC - injective Often used for additional purposes: Randomization, or encoding message length. A. H¨ ulsing 2MMC10 Cryptology 11 / 12

  18. Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and EU-CMA security. Options: Encrypt-and-MAC: c = Enc k 1 ( m ) , t = Mac k 2 ( m ). MAC-then-Encrypt. t = Mac k 2 ( m ) , c = Enc k 1 ( m � t ). Encrypt-then-MAC. c = Enc k 1 ( m ) , t = Mac k 2 ( c ). A. H¨ ulsing 2MMC10 Cryptology 12 / 12

  19. Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and EU-CMA security. Options: Encrypt-and-MAC: c = Enc k 1 ( m ) , t = Mac k 2 ( m ). MAC-then-Encrypt. t = Mac k 2 ( m ) , c = Enc k 1 ( m � t ). Encrypt-then-MAC. c = Enc k 1 ( m ) , t = Mac k 2 ( c ). A. H¨ ulsing 2MMC10 Cryptology 12 / 12

  20. Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and EU-CMA security. Options: Encrypt-and-MAC: c = Enc k 1 ( m ) , t = Mac k 2 ( m ). Possibly insecure as MAC might leak! MAC-then-Encrypt. t = Mac k 2 ( m ) , c = Enc k 1 ( m � t ). Encrypt-then-MAC. c = Enc k 1 ( m ) , t = Mac k 2 ( c ). A. H¨ ulsing 2MMC10 Cryptology 12 / 12

  21. Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and EU-CMA security. Options: Encrypt-and-MAC: c = Enc k 1 ( m ) , t = Mac k 2 ( m ). Possibly insecure as MAC might leak! MAC-then-Encrypt. t = Mac k 2 ( m ) , c = Enc k 1 ( m � t ). Possibly insecure but counter-examples are more involved Encrypt-then-MAC. c = Enc k 1 ( m ) , t = Mac k 2 ( c ). A. H¨ ulsing 2MMC10 Cryptology 12 / 12

Recommend

Network Security Cryptography: Cryptographic Hash Functions And Message Authentication Code

Network Security Cryptography: Cryptographic Hash Functions And Message Authentication Code

Network Security Cryptography: Cryptographic Hash Functions And Message Authentication Code F033581 Topic 2: Hash Functions and 1 Message Authentication Readings for This Lecture Wikipedia Cryptographic Hash Functions Message

689 views • 25 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee Department of Computer Science University of Calgary March 4, 2020 Outline Password hashing 1 SHA-3 2 Design strategy Details MACs 3 Properties of

519 views • 39 slides
Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming

512 views • 48 slides
References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

Message Authentication Codes (MACs) Message Authentication Codes (MACs) References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter 12 of Understanding Cryptography by Paar &amp; Pelzl Jim Royer Message

224 views • 3 slides
Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot

Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot

Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot retrieve the plain text Common hashes: md5 sha1 sha256 $password = hash (md5,$password); Better (though less common hash) Bcrypt

355 views • 18 slides
Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication Trusted Intermediaries Secure email pretty good privacy (PGP) 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key

427 views • 13 slides
Message authentication and digital signatures &quot; Message authentication verify that the

Message authentication and digital signatures &quot; Message authentication verify that the

Message authentication and digital signatures &quot; Message authentication verify that the message is from the right sender, and not modified (incl message sequence) &quot; Digital signatures in addition, non ! repudiation &quot; Two

439 views • 23 slides
Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming identity of

982 views • 46 slides
Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China Message authentication Alice Bob m Message authentication Alice Bob

1.3k views • 68 slides
Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE Approaches to Message Authentication Secure Hash Functions (SHA) and Keyed- Hash Message Authentication Code (HMAC) Public-Key Cryptography

458 views • 29 slides
Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication Problem Bob Alice k k message M Eve is Active: Can alter messages Can insert new messages Authentication Problem Secrecy is not the only

553 views • 37 slides
Data Integrity &amp; Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity &amp; Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity &amp; Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice Bob (sender) (reciever) Fran (forger) Remark: Authentication

450 views • 31 slides
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity . Arnab Roy 1 and Tyge Tiessen 1 ) Technical University of Denmark 1 Royal Holloway, University of London 2 TU Graz 3 1 (joint work with Martin Albrecht

275 views • 26 slides
Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing? Distribute key/value pairs across bins with a hash function , Hashing Performance Hashing (Application of Probability) which maps elements from

497 views • 3 slides
Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services Authentication Codes Authentication Codes Confidentiality : Symmetric encryption solves Integrity Ahmet Burak Can Authentication Hacettepe

341 views • 4 slides
stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication to be nobody-but-yourselfin a world which is doing its best to make you everybody else - e e cummings authentication: verifying the

490 views • 15 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Cryptographic Hashing in P4 Data Planes Dominik Scholz , Andreas Oeldemann, Fabien Geyer, Sebastian

Cryptographic Hashing in P4 Data Planes Dominik Scholz , Andreas Oeldemann, Fabien Geyer, Sebastian

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Cryptographic Hashing in P4 Data Planes Dominik Scholz , Andreas Oeldemann, Fabien Geyer, Sebastian Gallenmller, Henning Stubbe, Thomas Wild,

181 views • 15 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.25k views • 98 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.5k views • 58 slides

More recommend