investigating the security properties of macs based on
play

Investigating the security properties of MACs based on stream - PowerPoint PPT Presentation

Jan 02, 2024 •283 likes •650 views

Investigating the security properties of MACs based on stream ciphers Leonie Simpson, Mufeed Al Mashrafi, Harry Bartlett, Ed Dawson and Kenneth Wong Institute for Future Environments Science and Engineering Faculty Queensland University of

  1. Investigating the security properties of MACs based on stream ciphers Leonie Simpson, Mufeed Al Mashrafi, Harry Bartlett, Ed Dawson and Kenneth Wong Institute for Future Environments Science and Engineering Faculty Queensland University of Technology Brisbane, Australia real R a university for the world CRICOS No. 00213J

  2. Outline • Introduction • Indirect injection – Matrix Representation – Security Analysis – Examples • Direct injection – Matrix representation – Security analysis – Examples • Summary real R a university for the world CRICOS No. 00213J

  3. Introduction: Stream ciphers • Keystream generator for a stream cipher – Inputs: secret key K and public IV – Outputs: Pseudorandom binary sequence • Sequence commonly used as keystream for binary additive stream cipher to provide confidentiality real R a university for the world CRICOS No. 00213J

  4. Introduction: Stream ciphers Keystreams also used for integrity applications • • Stream ciphers providing authenticated encryption (AE) use binary sequences for both confidentiality and integrity • These sequences can be produced by: a) the same keystream generator b) different keystream generators real R a university for the world CRICOS No. 00213J

  5. Introduction: Stream ciphers and MAC generation • Phases of MAC generation : 1.Preparation: • Initialise the internal state of the integrity components of the device • Prepare the input message: may involve appending padding bits to either end of message • NOTE: for AE, message may be plaintext or ciphertext 2.Accumulation: • Iterative process where input message used to accumulate values in the internal state of the integrity component 3.Finalisation: • Complete the processing of MAC tag (possible masking) real R a university for the world CRICOS No. 00213J

  6. Introduction: Stream ciphers and MAC generation • Q: How do stream ciphers use the message in the accumulation phase? – Message dependent updating of internal state of integrity component – Two approaches to this: 1.Directly : using message content as an input into the internal state component 2.Indirectly : using the message content to control accumulation of some unknown keystream into an internal state component real R a university for the world CRICOS No. 00213J

  7. Introduction: AE Stream ciphers and MAC security • Consider security against forgery attacks: – Assume keystream sequences are pseudorandom – Consider a Man-In-The-Middle attacker who can: • Intercept transmission of M and MAC K,IV ( M ), and • Modify M and possibly also MAC K,IV ( M ): – Flip, delete or insert bits in M , – Alter bits in MAC K,IV ( M ) – Forgery succeeds if attacker can produce valid pair: M’ and MAC K,IV ( M’ ) real R a university for the world CRICOS No. 00213J

  8. Outline • Introduction • Indirect injection – Matrix Representation – Security Analysis – Examples • Direct injection – Matrix representation – Security analysis – Examples • Summary real R a university for the world CRICOS No. 00213J

  9. Indirect injection • Modelling the integrity component: – Two registers, R and A , same length as MAC: d bits – Two inputs: message M and keystream sequence y – M used to control values from R accumulated in A real R a university for the world CRICOS No. 00213J

  10. Indirect injection • During accumulation: – Register R update: • Sliding window on keystream – Register A update: • Message dependent real R a university for the world CRICOS No. 00213J

  11. Indirect injection: examples • Stream cipher based MACs using indirect injection: real R a university for the world CRICOS No. 00213J

  12. Indirect injection: matrix representation • Consider contents of register A at time i : – Each stage of A contains a message dependent linear combination of values previously in register R, combined with the initial values in A: real R a university for the world CRICOS No. 00213J

  13. Indirect injection: matrix representation • Computing the MAC for an input message of length l : – Compute the value in the accumulation register A – Combine with (optional) final mask • NOTE: really only need to consider two aspects: – the accumulation phase, and – the linear combination of A 0 and F real R a university for the world CRICOS No. 00213J

  14. Indirect injection: security analysis • Analysis of the accumulation phase only: • Bit flipping forgeries: – Forge MAC( M’ ) by flipping appropriate bit/s in MAC( M ) – For known R 0 attacker can flip: • first bit of M and forge valid MAC with probability 1 • first 2 bits of M and forge valid MAC with probability ½ • first i bits of M and forge valid MAC with probability 2 -i real R a university for the world CRICOS No. 00213J

  15. Indirect injection: security analysis • Analysis of the accumulation phase only: • Bit deletion forgeries: – Forge MAC( M’ ) by shifting MAC( M ) and guessing appropriate bit/s – For known R 0 attacker can delete: • first bit of M and forge valid MAC with probability ½ • first 2 bits of M and forge valid MAC with probability ¼ • first i bits of M and forge valid MAC with probability 2 -i – Similarly, can forge MACs for unknown R 0 but known M by deleting leading/trailing zeroes real R a university for the world CRICOS No. 00213J

  16. Indirect injection: security analysis • Analysis of the accumulation phase only : • Bit insertion forgeries: – For any R 0 , • Can insert zeroes at the end of M: – Does not change accumulated value, so MAC( M’ ) = MAC( M ) – Forge valid MAC with probability 1 • Can insert zeroes at the start of M – Forge MAC( M’ ) by shifting MAC( M ) and guessing appropriate bit/s – Insert one zero - forge valid MAC with probability ½ – Insert i zeroes - forge valid MAC with probability 2 -i – For known R 0 can insert 1’s at start (Forge MAC( M’ ) by shift & guessing) real R a university for the world CRICOS No. 00213J

  17. Indirect injection: security analysis • Analysis of the masking phase: – Forgeries involving insertions or deletions at the start of the message rely on the sliding property of T l M l • Prevent the MAC tag sliding by by initialising A with bits from a fixed position, such as the start of the keystream sequence y – Forgeries involving zeroes inserted or deleted at the end of the message rely on the these zeroes having no effect on the accumulated value • Choice of A 0 does not prevent this • Prevent by using unknown mask that depends on message length – Choices for A 0 and F provide effective means to prevent bit insertion and deletion attacks real R a university for the world CRICOS No. 00213J

  18. Indirect injection: ZUC • 128-EIA3 based on ZUC – Prep phase: input message padded with a 1 at end – Finalisation phase: final mask from same sequence, as accumulation, but segment not previously used real R a university for the world CRICOS No. 00213J

  19. Indirect injection: ZUC • Matrix representation: MAC tag for 128-EIA3 Version 1.4 • Fuhr et al, 2012 – Possible forgery if zero inserted at start of message – Forge MAC from existing by shifting and guessing bit • Our work, 2012 – For messages with leading zeroes, possible to delete zeroes and forge MACs by shifting and guessing real R a university for the world CRICOS No. 00213J

  20. Outline • Introduction • Indirect injection – Matrix Representation – Security Analysis – Examples • Direct injection – Matrix representation – Security analysis – Examples • Summary real R a university for the world CRICOS No. 00213J

  21. Direct injection • Model for the integrity component: – Consider simple case: accumulation component is single register – Aspects to consider: • component state update function • how and where message inputs are injected – We extend the Nakano et al. 2011 model for stream cipher-based hash functions: • Hash function based on nonlinear filter generator • Uses structure of generator, but hash function is unkeyed • State update function includes both: – LFSR update, and – nonlinear filter feedback real R a university for the world CRICOS No. 00213J

  22. Direct injection: examples • SOBER family of stream cipher based MACs or MAC components use direct injection: Cipher Date MAC Message Initialisation Finalisation size 32 bits SOBER 2003 plaintext if keystream Nonlinear transmission -128 is ciphertext ≤ 128 SSS 2005 plaintext keystream Encrypts MAC NLSv2 2006 variable plaintext keystream 2 components combined real R a university for the world CRICOS No. 00213J

  23. Direct injection • Accumulation using nonlinear filter generator – Inject message and filter output into LFSR • Consider where input will be injected (which stages) • Consider how input will be injected (combine or replace) real R a university for the world CRICOS No. 00213J

  24. Direct injection: matrix representation • For autonomous LFSR: A t+1 = C A t where • Extend to include injection of message and/or nonlinear filter output bit by combining: real R a university for the world CRICOS No. 00213J

  25. Direct injection: matrix representation • In the accumulation phase, as the message is processed the contents of register A are updated: • Matrix representation for this: • where real R a university for the world CRICOS No. 00213J

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Message Authentication Codes (MACs) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Security Notions of MACs NMACs and HMACs

158 views • 12 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick Seurin 3 1 UL, Luxembourg 2 KAIST, Korea 3 ANSSI, France March 6, 2018

837 views • 55 slides
O e Overview & Aim e & Investigating common properties of across-channel processing in

O e Overview & Aim e & Investigating common properties of across-channel processing in

O e Overview & Aim e & Investigating common properties of across-channel processing in time, space and speech perception i i ti d h ti Shuji Mori K Kyushu University h U i it JSPS Kiban A Grant Kickoff Workshop August 2,

799 views • 22 slides
Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS ROCK CK S STEVENS, KEVIN HALLIDAY, MICHELLE MAZUREK // UNIV IVERSIT ITY O OF M MARYLAND JOSIAH DYKSTRA, JAMES CHAPMAN, ALEX FARMER //

290 views • 27 slides
Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 Understanding the Security Properties of Ballot-Based Verification 1 WARNING This talk contains no research content.

284 views • 15 slides
Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

LASER Workshop 2020 Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards Rock Stevens , Kevin Halliday, Michelle Mazurek / / University of Maryland Josiah Dykstra, James Chapman, Alexander F armer

345 views • 22 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Investigating the Atomic and Nuclear Properties of the Heaviest Elements Michael Block GSI

Investigating the Atomic and Nuclear Properties of the Heaviest Elements Michael Block GSI

GSI Colloquium 19.05.2015 Investigating the Atomic and Nuclear Properties of the Heaviest Elements Michael Block GSI Darmstadt Helmholtzinstitut Mainz Institut fr Kernchemie der Universitt Mainz Outline Status of superheavy element (SHE)

1.06k views • 67 slides
Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST Outline Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm Our Contribution - Tight security proof of

394 views • 24 slides
On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik

On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik

Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik Chakraborti, Mridul Nandi, Suprita Talnikar , Kan Yasuda

1.03k views • 25 slides
-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too

-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too

-[ OS X Kernel Rootkits ]- Liar! Macs have no viruses! Who Am I Don't take me too seriously, I fuzz the Human brain! The capitalist "pig" degrees: Economics & MBA. Worked for the evil banking system! Security

833 views • 80 slides
MACS A framework for developmental learning of Affordances MACS 3 rd Review Sankt Augustin, 15 th

MACS A framework for developmental learning of Affordances MACS 3 rd Review Sankt Augustin, 15 th

Austrian Research Institute for Artificial Intelligence OFAI MACS A framework for developmental learning of Affordances MACS 3 rd Review Sankt Augustin, 15 th Feb 2008 Florian Kintzler, Jrg Irran, Georg Dorffner (OFAI) Outline

646 views • 29 slides
-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who Am I Hold two degrees nobody likes these days: Economics & MBA. Ex-hacker for .pt banking system (www.sibs.pt). Security

1.16k views • 91 slides
Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Generalities Stateless Deterministic MACs Nonce-Based MACs Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar Y. Seurin BBB Secure MACs January 2018 1 / 44 Generalities Stateless Deterministic

1.21k views • 95 slides
Representing Images and Sounds Class 4. 3 Sep 2009 Instructor: Bhiksha Raj Representing an

Representing Images and Sounds Class 4. 3 Sep 2009 Instructor: Bhiksha Raj Representing an

11-755 Machine Learning for Signal Processing Representing Images and Sounds Class 4. 3 Sep 2009 Instructor: Bhiksha Raj Representing an Elephant It was six men of Indostan, The fifth, who chanced to touch the ear, n n To learning much

1.41k views • 113 slides
Variational Model Selection for Sparse Gaussian Process Regression Michalis K. Titsias School of

Variational Model Selection for Sparse Gaussian Process Regression Michalis K. Titsias School of

Variational Model Selection for Sparse Gaussian Process Regression Variational Model Selection for Sparse Gaussian Process Regression Michalis K. Titsias School of Computer Science University of Manchester 7 September 2008 Variational Model

1.05k views • 41 slides
Data Science in the Wild Lecture 8: Advanced Experimental Analysis Eran Toch Data Science in the

Data Science in the Wild Lecture 8: Advanced Experimental Analysis Eran Toch Data Science in the

Data Science in the Wild Lecture 8: Advanced Experimental Analysis Eran Toch Data Science in the Wild, Spring 2019 1 Types of Tests Parametric vs. Non- Parametric Difference vs. Correlation Categorical vs. Differential

1.27k views • 40 slides
Outline 1

Outline 1

Outline 1 2

424 views • 20 slides
Modeling and Verification with SPIN Wishnu Prasetya wishnu@cs.uu.nl www.cs.uu.nl/docs/vakken/pv

Modeling and Verification with SPIN Wishnu Prasetya wishnu@cs.uu.nl www.cs.uu.nl/docs/vakken/pv

Model Checking with SPIN Modeling and Verification with SPIN Wishnu Prasetya wishnu@cs.uu.nl www.cs.uu.nl/docs/vakken/pv Overview Architecture & a bit more about SPIN SPINs modeling language Examples of models in SPIN

652 views • 49 slides
Can Social Media tell us something about our lives? Vasileios Lampos Computer Science Department

Can Social Media tell us something about our lives? Vasileios Lampos Computer Science Department

Can Social Media tell us something about our lives? Vasileios Lampos Computer Science Department University of Sheffield March, 2013 1 / 43 V. Lampos bill@lampos.net Can Social Media tell us something about our lives? 1/43 Outline

732 views • 43 slides
Integrating Personalized Health Information from MedlinePlus in a Patient Portal

Integrating Personalized Health Information from MedlinePlus in a Patient Portal

Integrating Personalized Health Information from MedlinePlus in a Patient Portal Damian&BORBOLLA,&Guilherme&DEL&FIOL,&Vanina TALIERCIO,&Carlos&OTERO,&Fernando&CAMPOS,&Marcela

326 views • 20 slides
Chapter 9 Alternative Architectures Quote It would appear that we have reached the limit of

Chapter 9 Alternative Architectures Quote It would appear that we have reached the limit of

Chapter 9 Alternative Architectures Quote It would appear that we have reached the limit of what is possible to achieve with computer technology, although one should be careful with such statements as they tend to sound pretty silly in 5

985 views • 77 slides

More recommend