MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir - PowerPoint PPT Presentation

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1

Integrity and authenticity The goal is to ensure that • M really originates with Alice and not someone else • M has not been modified in transit Mihir Bellare UCSD 2

Integrity and authenticity example Bob Alice (Bank) Alice Pay $100 to Charlie ✲ Adversary Eve might • Modify “Charlie” to “Eve” • Modify “$100” to “$1000” Integrity prevents such attacks. Mihir Bellare UCSD 3

Message authentication codes A message authentication code T : Keys × D → R is a family of functions. The envisaged usage is shown below, where A is the adversary: Keys $ ❄ K ❄ ❄ ✲ T T ′ T M ✲ ✲ ✲ ✲ ✲ d V A M ′ ✲ ✲ ✲ We refer to T as the MAC or tag. We have defined Algorithm V K ( M ′ , T ′ ) If T K ( M ′ ) = T ′ then return 1 else return 0 Mihir Bellare UCSD 4

MAC usage Sender and receiver share key K . To authenticate M , sender transmits ( M , T ) where T = T K ( M ). Upon receiving ( M ′ , T ′ ), the receiver accepts M ′ as authentic iff V K ( M ′ , T ′ ) = 1, or, equivalently, iff T K ( M ′ ) = T ′ . Mihir Bellare UCSD 5

UF-CMA Let T : Keys × D → R be a message authentication code. Let A be an adversary. Game UFCMA T procedure Initialize procedure Finalize ( M , T ) $ If M ∈ S then return false K ← Keys ; S ← ∅ If M �∈ D then return false procedure Tag ( M ) Return ( T = T K ( M )) T ← T K ( M ); S ← S ∪ { M } return T The uf-cma advantage of adversary A is Adv uf - cma � � UFCMA A ( A ) = Pr T ⇒ true T Mihir Bellare UCSD 6

UF-CMA: Explanations Adversary A does not get the key K . It can call Tag with any message M of its choice to get back the correct tag T = T K ( M ). To win, the adversary A must output a message M ∈ D and a tag T that are • Correct: T = T K ( M ) • New: M �∈ S , meaning M was not a query to Tag Interpretation: Tag represents the sender and Finalize represents the receiver. Security means that the adversary can’t get the receiver to accept a message that is not authentic, meaning was not already transmitted by the sender. Mihir Bellare UCSD 7

Exercise: Tag lengths Let T : Keys × D → { 0 , 1 } ℓ be a message authentication code. Specify in pseudocode an efficient adversary A making zero Tag queries and achieving Adv uf - cma ( A ) = 2 − ℓ . T Conclusion: Tags have to be long enough. For 80 bit security, tags have to be at least 80 bits. Mihir Bellare UCSD 8

Example: Basic CBC MAC Let E : { 0 , 1 } k × B → B be a blockcipher, where B = { 0 , 1 } n . View a message M ∈ B ∗ as a sequence of n -bit blocks, M = M [1] . . . M [ m ]. The basic CBC MAC T : { 0 , 1 } k × B ∗ → B is defined by Alg T K ( M ) C [0] ← 0 n for i = 1 , . . . , m do C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) return C [ m ] M [ m − 1] M [ m ] M [1] M [2] E K E K E K E K C [ m ] = T K ( M ) Mihir Bellare UCSD 9

Splicing attack on basic CBC MAC adversary A Alg T K ( M ) Let x ∈ { 0 , 1 } n C [0] ← 0 n T 1 ← Tag ( x ) for i = 1 , . . . , m do M ← x || T 1 ⊕ x C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) Return M , T 1 return C [ m ] Then, T 1 ⊕ x x T K ( M ) = E K ( E K ( x ) ⊕ T 1 ⊕ x ) E K E K E K ( T 1 ⊕ T 1 ⊕ x ) = = E K ( x ) T 1 T 1 = T 1 Mihir Bellare UCSD 10

Insecurity of basic CBC MAC adversary A Alg T K ( M ) Let x ∈ { 0 , 1 } n C [0] ← 0 n T 1 ← Tag ( x ) for i = 1 , . . . , m do M ← x || T 1 ⊕ x C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) Return M , T 1 return C [ m ] Then Adv uf - cma ( A ) = 1 and A is efficient, so the basic CBC MAC is not T UF-CMA secure. Mihir Bellare UCSD 11

Exercise Let E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n be a blockcipher. Let D = { M ∈ { 0 , 1 } ∗ : 0 < | M | < n 2 n and | M | mod n = 0 } . Let T : { 0 , 1 } k × D → { 0 , 1 } n be defined as follows: Alg T K ( M ) M [1] . . . M [ m ] ← M ; M [ m + 1] ← � m � ; C [0] ← 0 n For i = 1 , . . . , m + 1 do C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) T ← C [ m + 1]; return T Above, � m � denotes the n -bit binary representation of the integer m . Show that T is not UF-CMA-secure by presenting in pseudocode a practical adversary A making at most 4 Tag queries and achieving Adv uf - cma ( A ) = 1. T Mihir Bellare UCSD 12

Exercise Let E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n be a blockcipher. Let D = { M ∈ { 0 , 1 } ∗ : 0 < | M | < n 2 n and | M | mod n = 0 } . Let T : { 0 , 1 } k × D → { 0 , 1 } n be defined as follows: Alg T K ( M ) M [1] . . . M [ m ] ← M ; C [0] ← E K ( � m � ) For i = 1 , . . . , m do C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) T ← C [ m ]; return T Above, � m � denotes the n -bit binary representation of the integer m . Is T UF-CMA-secure? If you say NO, present a practical adversary A achieving Adv uf - cma ( A ) ≥ 1 / 2. If you say YES, prove this correct T assuming E is PRF-secure. Mihir Bellare UCSD 13

Replay Suppose Alice transmits ( M 1 , T 1 ) to Bank where M 1 =“Pay $100 to Bob”. Adversary • Captures ( M 1 , T 1 ) • Keeps re-transmitting it to bank Result: Bob gets $100, $200, $300,... Our UF-CMA notion of security does not ask for protection against replay, because A will not win if it outputs M , T with M ∈ S , even if T = T K ( M ) is the correct tag. Question: Why not? Answer: Replay is best addressed as an add-on to standard message authentication. Mihir Bellare UCSD 14

Preventing Replay Using Timestamps Let Time A be the time as per Alice’s local clock and Time B the time as per Bob’s local clock. • Alice sends ( M , T K ( M ) , Time A ) • Bob receives ( M , T , Time ) and accepts iff T = T K ( M ) and | Time B − Time | ≤ ∆ where ∆ is a small threshold. Does this work? Mihir Bellare UCSD 15

Preventing Replay Using Timestamps Let Time A be the time as per Alice’s local clock and Time B the time as per Bob’s local clock. • Alice sends ( M , T K ( M ) , Time A ) • Bob receives ( M , T , Time ) and accepts iff T = T K ( M ) and | Time B − Time | ≤ ∆ where ∆ is a small threshold. Does this work? Obviously forgery is possible within a ∆ interval. But the main problem is that Time A is not authenticated, so adversary can transmit ( M , T K ( M ) , Time 1 ) , ( M , T K ( M ) , Time 2 ) , . . . for any times Time 1 , Time 2 , . . . of its choice, and Bob will accept. Mihir Bellare UCSD 16

Preventing Replay Using Timestamps Let Time A be the time as per Alice’s local clock and Time B the time as per Bob’s local clock. • Alice sends ( M , T K ( M � Time A ) , Time A ) • Bob receives ( M , T , Time ) and accepts iff T K ( M � Time ) = T and | Time B − Time | ≤ ∆ where ∆ is a small threshold. Mihir Bellare UCSD 17

Preventing Replay Using Counters Alice maintains a counter ctr A and Bob maintains a counter ctr B . Initially both are zero. • Alice sends ( M , T K ( M � ctr A )) and then increments ctr A • Bob receives ( M , T ). If T K ( M � ctr B ) = T then Bob accepts and increments ctr B . Counters need to stay synchronized. Mihir Bellare UCSD 18

Any PRF is a MAC If F is PRF-secure then it is also UF-CMA-secure: Theorem [GGM86,BKR96]: Let F : { 0 , 1 } k × D → { 0 , 1 } n be a family of functions. Let A be a uf-cma adversary making q Tag queries and having running time t . Then there is a prf-adversary B such that F ( B ) + 2 Adv uf - cma ( A ) ≤ Adv prf 2 n . F Adversary B makes q + 1 queries to its Fn oracle and has running time t plus some overhead. Exercise: Prove this theorem. We now give some intuition. Mihir Bellare UCSD 19

Intuition for why PRFs are UF-CMA-secure 1 Random functions make good (UF-CMA) MACs 2 PRFs are pretty much as good as random functions For (1), suppose Fn : D → { 0 , 1 } n is random and consider A who • Can query Fn at any points x 1 , . . . , x q ∈ D it likes • To win, must output x , T such that x / ∈ { x 1 , . . . , x q } but T = Fn ( x ) Then, Pr[ A wins] = Mihir Bellare UCSD 20

Intuition for why PRFs are UF-CMA-secure 1 Random functions make good (UF-CMA) MACs 2 PRFs are pretty much as good as random functions For (1), suppose Fn : D → { 0 , 1 } n is random and consider A who • Can query Fn at any points x 1 , . . . , x q ∈ D it likes • To win, must output x , T such that x / ∈ { x 1 , . . . , x q } but T = Fn ( x ) Then, Pr[ A wins] = 1 2 n because A did not query Fn ( x ). Mihir Bellare UCSD 21

Intuition for why PRFs are UF-CMA-secure 1 Random functions make good (UF-CMA) MACs 2 PRFs are pretty much as good as random functions For (2), consider A who • Can query F K at any points x 1 , . . . , x q ∈ D it likes • To win, must output x , T such that x / ∈ { x 1 , . . . , x q } but T = F K ( x ) If Pr[ A wins] is significantly more then 2 − n then we are detecting a difference between F K and a random function. Mihir Bellare UCSD 22