mac reforgeability
play

MAC Reforgeability J o h n B l a c k 1 a n d M a r t i n C o c h r - PowerPoint PPT Presentation

Oct 25, 2023 •360 likes •750 views

MAC Reforgeability J o h n B l a c k 1 a n d M a r t i n C o c h r a n 2 F a s t S o f t w a r e E n c r y p t i o n 2 0 0 9 1 U n i v e r s i t y o f C o l o r a d o , B o u l d e r 2 G o o g l e I n c . Outline Problem setting -

  1. MAC Reforgeability J o h n B l a c k 1 a n d M a r t i n C o c h r a n 2 F a s t S o f t w a r e E n c r y p t i o n 2 0 0 9 1 U n i v e r s i t y o f C o l o r a d o , B o u l d e r 2 G o o g l e I n c .

  2. Outline • Problem setting - “reforgeability” • Appropriate scenarios • Application to current MACs • Propose new MAC with good tradeoffs • small tags • fast • flexible security • security reduction

  3. Message Authentication: setting • Alice and Bob share a secret key K • Adversary Eve has access to communication channel • Can inject/modify messages • Goal (informally): all adversarial modifications to channel are detectable

  4. Message Authentication Codes (stateless) • Append Tag = F(K, M) to each message M • Eve should not be able to find new message M’ and Tag’ such that Tag’ = F(K, M’)

  5. Message Authentication Codes (stateful) • Append Tag = F(K, M, n) to each message M • Eve should not be able to find new tuple (M’, Tag’, n’) such that Tag’ = F(K, M’, n’)

  6. Current Options • Essentially there are three types of MACs • Blockcipher based (CBC-MAC) • Compression-function based (HMAC) • Wegman-Carter based (Poly1305, VMAC)

  7. Wegman-Carter Let ǫ ∈ R + and fix a domain D and range R . A finite multiset of hash functions H = { h : D → R} is said to be ǫ - Almost Universal ( ǫ -AU) if for every x, y ∈ D with x � = y , Pr h ∈ H [ h ( x ) = h ( y )] ≤ ǫ . Building Blocks: Fixed h ∈ H F K

  8. Wegman-Carter Let ǫ ∈ R + and fix a domain D and range R . A finite multiset of hash functions H = { h : D → R} is said to be ǫ - Almost Universal ( ǫ -AU) if for every x, y ∈ D with x � = y , Pr h ∈ H [ h ( x ) = h ( y )] ≤ ǫ . Building Blocks: Fixed h ∈ H F K Key: { K, h }

  9. Wegman-Carter n - nonce, M - message Option I (FH) Option II (WCS) Option III (FCH) (stateful) (stateful) n h ( M ) n || h ( M ) h ( M ) F K F K F K + Tag Tag Tag

  10. Wegman-Carter n - nonce, M - message Option I (FH) Option II (WCS) Option III (FCH) (stateful) (stateful) n h ( M ) n || h ( M ) h ( M ) F K F K F K + Tag Tag Tag

  11. Wegman-Carter nonce must n - nonce, M - message be unique! Option I (FH) Option II (WCS) Option III (FCH) (stateful) (stateful) n h ( M ) n || h ( M ) h ( M ) F K F K F K + Tag Tag Tag

  12. Formal Model • Oracle for MAC, oracle for verifications • Adversary can query messages of her choice and receive tags • Adversary wins if she can produce valid tag for unqueried message (valid verification query)

  13. Security of typical MACs • Security usually measured in terms of tag length, queries • Most stateless MACs have chance of forgery of around q 2 ( ǫ q 2 s ) s 2 n • Stateful MACs are better: more like q v ( ǫ q v ) 2 n

  14. What happens after security is lost? • Security bound measures chance of first forgery • Are more forgeries possible? • Perfect MAC - random function

  15. Low-security applications

  16. Low-security applications • Video streaming

  17. Low-security applications • Video streaming • VOIP

  18. Low-security applications • Video streaming • VOIP • {power, CPU, bandwidth}-limited environments (sensor networks, eg)

  19. Breaking Point • All MACs examined have some breaking point, after which many forgeries are possible

  20. Summary of Attacks MAC scheme Expected queries Succumbs to Succumbs to Message for j forgeries padding attack other attack freedom √ C 1 + j m − 2 CBC MAC √ √ C 1 + j m − 2 EMAC √ √ C 1 + j m − 2 XCBC √ C 1 + j PMAC 1 √ √ C 1 + j m − 2 ANSI retail MAC i C i / 2 i + j √ � m − 1 HMAC C i is the i -th observed collision (no truncation of tags)

  21. Summary of Attacks UHF in FH mode Expected queries Reveals key Queries for for j forgeries key recovery hash127/Poly1305 C 1 + log m + j √ C 1 + log m VMAC C 1 + 2 j Square Hash C 1 + 2 j √ mC 1 Topelitz Hash C 1 + 2 j Bucket Hash C 1 + 2 j MMH/NMH C 1 + 2 j UHF in WCS mode Expected queries Repeated Reveals key Queries for with nonce misuse for j forgeries nonce key recovery hash127/Poly1305 2 + log m + j 1 √ 2 + log m VMAC C 1 + 2 j C 1 + j Square Hash 3 m + j m √ 3 m Topelitz Hash 2 j + 2 1 Bucket Hash 2 j + 2 1 MMH/NMH 2 m + j m √ 2 m

  22. There’s more • Preneel and Handschuh found much more severe attacks, many involving only verification queries

  23. OK. Now what? • Can we fix this? • Probably, but at what cost? • F(F(K, M), M) would probably work but twice as much computation • Look for better tradeoffs

  24. OK. Now what? What if F(K,M) = F(K,M’) and F(F(K,M),M) = F(F(K,M’),M’)? • Can we fix this? • Probably, but at what cost? • F(F(K, M), M) would probably work but twice as much computation • Look for better tradeoffs

  25. Good low security MACs • Short tag • Fast • Guessing the tag is best adversarial strategy (up to a point!) • Attacker may get one right every now and then (one frame in video stream)

  26. Countermeasures • Truncate tags to desired length • Use state to avoid reforgeability

  27. CBC-MAC HMAC WCS MACs Use State? Truncate? X Fast? X X (in software)

  28. Wegman-Carter n - nonce, M - message Option I Option II Option III (stateful) (stateful) n h ( M ) n || h ( M ) h ( M ) F K F K F K + Tag Tag Tag

  29. Wegman-Carter n - nonce, M - message Option I Option II Option III (stateful) (stateful) n h ( M ) n || h ( M ) h ( M ) F K F K F K + Tag Tag Tag

  30. WMAC Option III (stateful) n || h ( M ) • Generalization of options 1 and III • State included, uniqueness not required F K Tag

  31. WMAC Option III (stateful) n || h ( M ) • Generalization of options 1 and III • State included, uniqueness not required F K Tag

  32. WMAC Benefits • Fast, comparable to fastest WCS MACs • Nonce reuse • Sliding scale of security • Tags may be truncated safely • Tight security reduction

  33. WMAC tradeoffs • No partial precomputation • PRF must accept larger input (possible extra computation) • Still has breaking point • Limiting incorrect verification queries is important!

  34. Security Reduction Bad things happen with (approximate) probability: ǫ ( α − 1) q s ǫ q 2 � � + v + q v q s + 2 ǫ q v 2 2 L − 1 q s - number of signing queries q v - number of verification queries L - tag length in bits α - max number of signing queries per nonce ǫ - of the ǫ -AU family used

  35. Security Reduction Let α in { 1 , q s } for bound for { Option III, Option I } . Bad things happen with (approximate) probability: ǫ ( α − 1) q s ǫ q 2 � � + v + q v q s + 2 ǫ q v 2 2 L − 1 q s - number of signing queries q v - number of verification queries L - tag length in bits α - max number of signing queries per nonce ǫ - of the ǫ -AU family used

  36. Example Parameters • Truncated AES as PRF • VHASH from VMAC • Comparable speed to VMAC • ǫ ≤ 2 − 82 , L = 24, α = 2 24 (8-bit counter value) • After 2 32 queries, 2 24 forgery attempts, one forgery is expected

  37. Example Parameters • Truncated AES as PRF Tag + counter only 32 bits • VHASH from VMAC • Comparable speed to VMAC • ǫ ≤ 2 − 82 , L = 24, α = 2 24 (8-bit counter value) • After 2 32 queries, 2 24 forgery attempts, one forgery is expected

  38. Q&A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Deterministic Elliptic Curve Primality Proving for a Special Sequence of Numbers Alex

Deterministic Elliptic Curve Primality Proving for a Special Sequence of Numbers Alex

Deterministic Elliptic Curve Primality Proving for a Special Sequence of Numbers Alex Abatzoglou, Alice Silverberg, Andrew V. Sutherland, Angela Wong Tenth Algorithmic Number Theory Symposium University of California, San Diego July 9, 2012

630 views • 43 slides
From Selma to Ferguson Nonviolence Resistance and Civil Disobedience Pastor Cori Bush

From Selma to Ferguson Nonviolence Resistance and Civil Disobedience Pastor Cori Bush

From Selma to Ferguson Nonviolence Resistance and Civil Disobedience Pastor Cori Bush Ferguson Activist/Kingdom Embassy International Dr. Bernard Lafayette Chairman, Southern Christian Leadership Conference Dr. David Ragland, Visiting

437 views • 22 slides
Writing papers and giving talks Bill Freeman MIT CSAIL May 2, 2011 Monday, May 2, 2011

Writing papers and giving talks Bill Freeman MIT CSAIL May 2, 2011 Monday, May 2, 2011

Writing papers and giving talks Bill Freeman MIT CSAIL May 2, 2011 Monday, May 2, 2011 Schedule the last week 5-minute presentations of your class projects 5-8 page short papers due. homework due (describe the main points of your

1.52k views • 106 slides
QUANTUM MATERIALS & DARK MATTER DETECTION MOTIVATION NEW DIRECTIONS IN DARK MATTER THEORY

QUANTUM MATERIALS & DARK MATTER DETECTION MOTIVATION NEW DIRECTIONS IN DARK MATTER THEORY

K. ZUREK Leveraging the many faces (and phases) of matter QUANTUM MATERIALS & DARK MATTER DETECTION MOTIVATION NEW DIRECTIONS IN DARK MATTER THEORY Old paradigm: weak scale dark matter (with relic density fixed by freeze-out)

644 views • 29 slides
Principles of Software Construction: A Brief Introduction to Multithreading and GUI Programming

Principles of Software Construction: A Brief Introduction to Multithreading and GUI Programming

Principles of Software Construction: A Brief Introduction to Multithreading and GUI Programming Josh Bloch Charlie Garrod School of Computer Science 15-214 1 Administrivia Homework 4b due next Thursday HW 3 feedback pushed this

594 views • 36 slides
You N ou Never K Nrf rf Note oteo Tnol r Know Tnol now Unuiy Until Y ntil You F uiy Wou

You N ou Never K Nrf rf Note oteo Tnol r Know Tnol now Unuiy Until Y ntil You F uiy Wou

You N ou Never K Nrf rf Note oteo Tnol r Know Tnol now Unuiy Until Y ntil You F uiy Wou ou Find Out! ou Viy ind Out! iyd Euk Euk! ! Tim Sanden VP of Informa0on Technology, CIO Cass County

811 views • 66 slides
SEPF The Social Engineering Personality Framework . Sven belacker Security in Distributed

SEPF The Social Engineering Personality Framework . Sven belacker Security in Distributed

SEPF The Social Engineering Personality Framework . Sven belacker Security in Distributed Applications Hamburg University of Technology 2015-01-12 Usability Colloquium, TU Berlin . 2 Our background Sven belacker and information

545 views • 19 slides
Counting Simple Modules: A conjectured inequality Geoffrey R. Robinson (Reporting on joint work

Counting Simple Modules: A conjectured inequality Geoffrey R. Robinson (Reporting on joint work

Counting Simple Modules: A conjectured inequality Geoffrey R. Robinson (Reporting on joint work with Gunter Malle) Blocks and Beyond (birthday conference for B. K ulshammer) Jena July 25th, 2015 1 As usual, ( K , R, F ) is a p -modular

231 views • 12 slides
Designing and Publishing a Map Product with Mapbox Lyzi Diamond, Mapbox | March 23, 2015 Who am

Designing and Publishing a Map Product with Mapbox Lyzi Diamond, Mapbox | March 23, 2015 Who am

Designing and Publishing a Map Product with Mapbox Lyzi Diamond, Mapbox | March 23, 2015 Who am I? What is Mapbox ? What are we going to do today? BEFORE WE START: Did you register for an account at www.mapbox.com? Have you downloaded

601 views • 42 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography Historical Ciphers 1 Classical Ciphers,

Outline CPSC 418/MATH 318 Introduction to Cryptography Historical Ciphers 1 Classical Ciphers,

Outline CPSC 418/MATH 318 Introduction to Cryptography Historical Ciphers 1 Classical Ciphers, Perfect Secrecy, One-Time Pad Probability Theory 2 Renate Scheidler Department of Mathematics & Statistics Perfect Secrecy 3 Department of

281 views • 10 slides
M A R K E T S , P U B L I C P O L I C Y, & P U B L I C A D M I N I S T R AT I O N MPA

M A R K E T S , P U B L I C P O L I C Y, & P U B L I C A D M I N I S T R AT I O N MPA

M A R K E T S , P U B L I C P O L I C Y, & P U B L I C A D M I N I S T R AT I O N MPA 612: Economy, Society, and Public Policy April 17, 2019 Fill out your reading report on Learning Suite P L A N F O R T O D A Y What the h*ck did

624 views • 26 slides
Learning network Three Resilience, Transformational Personal Branding and Progressing Career

Learning network Three Resilience, Transformational Personal Branding and Progressing Career

Learning network Three Resilience, Transformational Personal Branding and Progressing Career Pathways Thursday 13 February 2020 Moving up BAME leadership programme The Skills for Care welcomes you to: Learning Network 3 Resilience,

1.02k views • 76 slides
and Complete Game Semantics for Intuitionistic, EM-1, and Classical Arithmetic Workshop on

and Complete Game Semantics for Intuitionistic, EM-1, and Classical Arithmetic Workshop on

Games with Sequential Backtracking and Complete Game Semantics for Intuitionistic, EM-1, and Classical Arithmetic Workshop on Logical Dialogue games Thursday, June 29, 2015, Wien Stefano Berardi C.S. Dept., Turin University,

595 views • 27 slides
How to write a good CVPR submission Bill Freeman MIT CSAIL Nov. 6, 2014 Thursday, November 6,

How to write a good CVPR submission Bill Freeman MIT CSAIL Nov. 6, 2014 Thursday, November 6,

How to write a good CVPR submission Bill Freeman MIT CSAIL Nov. 6, 2014 Thursday, November 6, 14 A papers impact on your career Lots of impact Effect on your career nothing Bad Ok Pretty good Creative, original and good. Paper

1.13k views • 81 slides
NO-FRILLS NO-FRILLS Malware Lab Building A 1 Cyber I ncident Response Centre (CCI RC)

NO-FRILLS NO-FRILLS Malware Lab Building A 1 Cyber I ncident Response Centre (CCI RC)

Andre.Cormier@ps-sp.gc.ca Robert.Pitcher@ps-sp.gc.ca NO-FRILLS NO-FRILLS Malware Lab Building A 1 Cyber I ncident Response Centre (CCI RC) Located in the nations capital of Ottawa, the CCIRC is the national focal point for dealing

1.26k views • 96 slides
Fuzzy MLS: An Experiment on Quantified RiskAdaptive Access Control PauChen Cheng Pankaj

Fuzzy MLS: An Experiment on Quantified RiskAdaptive Access Control PauChen Cheng Pankaj

Fuzzy MLS: An Experiment on Quantified RiskAdaptive Access Control PauChen Cheng Pankaj Rohatgi Claudia Keser pau@us.ibm.com rohatgi@us.ibm.com ckeser@us.ibm.com IBM Thomas J. Watson Research Center January 3, 2007 Abstract The goal

466 views • 11 slides
AE705 Introduction to Flight Prof. Rajkumar S. Pant Department of Aerospace Engineering IIT

AE705 Introduction to Flight Prof. Rajkumar S. Pant Department of Aerospace Engineering IIT

AE705 Introduction to Flight Prof. Rajkumar S. Pant Department of Aerospace Engineering IIT Bombay AE-705 Introduction to Flight Introductory Lecture Welcome Aboard ! AE-705 Introduction to Flight Introductory Lecture Let us see what's in

1.11k views • 34 slides
Still failing to rescue what more can we do to keep patients safer? www.qgi.org.uk NPSA

Still failing to rescue what more can we do to keep patients safer? www.qgi.org.uk NPSA

Still failing to rescue what more can we do to keep patients safer? www.qgi.org.uk NPSA guidance In 2006 we reviewed the NRLS and identified three themes: No observations made for a prolonged period and therefore changes in a patients

574 views • 30 slides
Outcome definitions and risk thresholds for prevention programs (the case of suicide attempt

Outcome definitions and risk thresholds for prevention programs (the case of suicide attempt

* * * * * * * * * * * Outcome definitions and risk thresholds for prevention programs (the case of suicide attempt prevention) Greg Simon Group Health Research Institute UH2 AT007755 Pragmatic trial of population-based programs

864 views • 40 slides
The Emerging Zero Suicide Paradigm Reducing Suicide for Those in Care Julie Goldstein Grumet,

The Emerging Zero Suicide Paradigm Reducing Suicide for Those in Care Julie Goldstein Grumet,

The Emerging Zero Suicide Paradigm Reducing Suicide for Those in Care Julie Goldstein Grumet, PhD Mike Hogan, PhD August 28, 2014 Moderator and Presenters Mike Hogan, PhD Julie Goldstein Grumet, PhD Sarah A. Bernes, MPH, MSW Research

951 views • 57 slides
A few warning signs of suicide: Aggressive behavior Withdrawal from friends, family and

A few warning signs of suicide: Aggressive behavior Withdrawal from friends, family and

September is National Suicide Prevention Awareness Montha time to share resources and stories on this topic. This is the time to reach out to those affected by suicide, raise awareness and encourage individuals with suicidal ideation seek

259 views • 4 slides
Introducing: MY3 Suicide Prevention Mobile App A Project of the Know the Signs Campaign

Introducing: MY3 Suicide Prevention Mobile App A Project of the Know the Signs Campaign

Introducing: MY3 Suicide Prevention Mobile App A Project of the Know the Signs Campaign www.suicideispreventable.org www.my3app.org November 19 th , 2014 Presenter: Theresa Ly (tly@edc.org) 1 Questions? Type them in! You are in

376 views • 24 slides
Steering Committee Meeting April 15, 2020 Acknowledgement The National Center is funded in part

Steering Committee Meeting April 15, 2020 Acknowledgement The National Center is funded in part

Steering Committee Meeting April 15, 2020 Acknowledgement The National Center is funded in part by Cooperative Agreement Numbers UG7MC28482 and UG7MC31831 from the US Department of Health and Human Services (HHS), Health Resources and Services

378 views • 33 slides
Workplace Mental Health: Stepping up to the Challenges through COVID-19 MATES IN CONSTRUCTION

Workplace Mental Health: Stepping up to the Challenges through COVID-19 MATES IN CONSTRUCTION

Workplace Mental Health: Stepping up to the Challenges through COVID-19 MATES IN CONSTRUCTION An independent construction industry charity Supported by employers and unions in the industry Working on suicide prevention in

515 views • 39 slides

More recommend