MAC Reforgeability J o h n B l a c k 1 a n d M a r t i n C o c h r - - PowerPoint PPT Presentation

mac reforgeability
SMART_READER_LITE
LIVE PREVIEW

MAC Reforgeability J o h n B l a c k 1 a n d M a r t i n C o c h r - - PowerPoint PPT Presentation

Oct 25, 2023 360 likes •751 views

MAC Reforgeability J o h n B l a c k 1 a n d M a r t i n C o c h r a n 2 F a s t S o f t w a r e E n c r y p t i o n 2 0 0 9 1 U n i v e r s i t y o f C o l o r a d o , B o u l d e r 2 G o o g l e I n c . Outline Problem setting -

slide-1
SLIDE 1

MAC Reforgeability

J o h n B l a c k 1 a n d M a r t i n C o c h r a n 2 F a s t S o f t w a r e E n c r y p t i o n 2 0 0 9

1 U n i v e r s i t y o f C o l o r a d o , B o u l d e r 2 G o o g l e I n c .

slide-2
SLIDE 2

Outline

  • Problem setting - “reforgeability”
  • Appropriate scenarios
  • Application to current MACs
  • Propose new MAC with good tradeoffs
  • small tags
  • fast
  • flexible security
  • security reduction
slide-3
SLIDE 3

Message Authentication: setting

  • Alice and Bob share a secret key K
  • Adversary Eve has access to

communication channel

  • Can inject/modify messages
  • Goal (informally): all adversarial

modifications to channel are detectable

slide-4
SLIDE 4

Message Authentication Codes (stateless)

  • Append Tag = F(K, M) to each message M
  • Eve should not be able to find new message

M’ and Tag’ such that Tag’ = F(K, M’)

slide-5
SLIDE 5

Message Authentication Codes (stateful)

  • Append Tag = F(K, M, n) to each message M
  • Eve should not be able to find new tuple

(M’, Tag’, n’) such that Tag’ = F(K, M’, n’)

slide-6
SLIDE 6

Current Options

  • Essentially there are three types of MACs
  • Blockcipher based (CBC-MAC)
  • Compression-function based (HMAC)
  • Wegman-Carter based (Poly1305, VMAC)
slide-7
SLIDE 7

Wegman-Carter

Building Blocks:

FK

Fixed h ∈ H

Let ǫ ∈ R+ and fix a domain D and range R. A finite multiset of hash functions H = {h : D → R} is said to be ǫ-Almost Universal (ǫ-AU) if for every x, y ∈ D with x = y, Prh∈H[h(x) = h(y)] ≤ ǫ.

slide-8
SLIDE 8

Wegman-Carter

Building Blocks:

FK Key: {K, h}

Fixed h ∈ H

Let ǫ ∈ R+ and fix a domain D and range R. A finite multiset of hash functions H = {h : D → R} is said to be ǫ-Almost Universal (ǫ-AU) if for every x, y ∈ D with x = y, Prh∈H[h(x) = h(y)] ≤ ǫ.

slide-9
SLIDE 9

Wegman-Carter

Option I (FH) Option II (WCS) Option III (FCH)

(stateful) (stateful)

FK FK h(M) FK h(M) n || h(M)

Tag Tag Tag +

n n - nonce, M - message

slide-10
SLIDE 10

Wegman-Carter

Option I (FH) Option II (WCS) Option III (FCH)

(stateful) (stateful)

FK FK h(M) FK h(M) n || h(M)

Tag Tag Tag +

n n - nonce, M - message

slide-11
SLIDE 11

Wegman-Carter

Option I (FH) Option II (WCS) Option III (FCH)

(stateful) (stateful)

FK FK h(M) FK h(M) n || h(M)

Tag Tag Tag +

n n - nonce, M - message

nonce must be unique!

slide-12
SLIDE 12

Formal Model

  • Oracle for MAC, oracle for verifications
  • Adversary can query messages of her

choice and receive tags

  • Adversary wins if she can produce valid tag

for unqueried message (valid verification query)

slide-13
SLIDE 13

Security of typical MACs

  • Security usually measured in terms of tag

length, queries

  • Most stateless MACs have chance of

forgery of around

  • Stateful MACs are better: more like

(ǫqv) (ǫq2

s) q2

s

2n qv 2n

slide-14
SLIDE 14

What happens after security is lost?

  • Security bound measures chance of first

forgery

  • Are more forgeries possible?
  • Perfect MAC - random function
slide-15
SLIDE 15

Low-security applications

slide-16
SLIDE 16

Low-security applications

  • Video streaming
slide-17
SLIDE 17

Low-security applications

  • Video streaming
  • VOIP
slide-18
SLIDE 18

Low-security applications

  • Video streaming
  • VOIP
  • {power, CPU, bandwidth}-limited

environments (sensor networks, eg)

slide-19
SLIDE 19

Breaking Point

  • All MACs examined have some breaking

point, after which many forgeries are possible

slide-20
SLIDE 20

Summary of Attacks

MAC scheme Expected queries Succumbs to Succumbs to Message for j forgeries padding attack

  • ther attack

freedom CBC MAC C1 + j √ m − 2 EMAC C1 + j √ √ m − 2 XCBC C1 + j √ √ m − 2 PMAC C1 + j √ 1 ANSI retail MAC C1 + j √ √ m − 2 HMAC

  • i Ci/2i + j

√ m − 1

Ci is the i-th observed collision (no truncation of tags)

slide-21
SLIDE 21

Summary of Attacks

UHF in FH mode Expected queries Reveals key Queries for for j forgeries key recovery hash127/Poly1305 C1 + log m + j √ C1 + log m VMAC C1 + 2j Square Hash C1 + 2j √ mC1 Topelitz Hash C1 + 2j Bucket Hash C1 + 2j MMH/NMH C1 + 2j UHF in WCS mode Expected queries Repeated Reveals key Queries for with nonce misuse for j forgeries nonce key recovery hash127/Poly1305 2 + log m + j 1 √ 2 + log m VMAC C1 + 2j C1 + j Square Hash 3m + j m √ 3m Topelitz Hash 2j + 2 1 Bucket Hash 2j + 2 1 MMH/NMH 2m + j m √ 2m

slide-22
SLIDE 22

There’s more

  • Preneel and Handschuh found much more

severe attacks, many involving only verification queries

slide-23
SLIDE 23
  • OK. Now what?
  • Can we fix this?
  • Probably, but at what cost?
  • F(F(K, M), M) would probably work but

twice as much computation

  • Look for better tradeoffs
slide-24
SLIDE 24
  • OK. Now what?
  • Can we fix this?
  • Probably, but at what cost?
  • F(F(K, M), M) would probably work but

twice as much computation

  • Look for better tradeoffs

What if F(K,M) = F(K,M’) and F(F(K,M),M) = F(F(K,M’),M’)?

slide-25
SLIDE 25

Good low security MACs

  • Short tag
  • Fast
  • Guessing the tag is best adversarial strategy

(up to a point!)

  • Attacker may get one right every now

and then (one frame in video stream)

slide-26
SLIDE 26

Countermeasures

  • Truncate tags to desired length
  • Use state to avoid reforgeability
slide-27
SLIDE 27

CBC-MAC HMAC WCS MACs Fast? (in software) Truncate? Use State? X X X

slide-28
SLIDE 28

Wegman-Carter

Option I Option II Option III

(stateful) (stateful)

FK FK h(M) FK h(M) n || h(M)

Tag Tag Tag +

n n - nonce, M - message

slide-29
SLIDE 29

Wegman-Carter

Option I Option II Option III

(stateful) (stateful)

FK FK h(M) FK h(M) n || h(M)

Tag Tag Tag +

n n - nonce, M - message

slide-30
SLIDE 30

WMAC

  • Generalization of options 1 and III
  • State included, uniqueness not required

Option III

(stateful)

FK n || h(M)

Tag

slide-31
SLIDE 31

WMAC

  • Generalization of options 1 and III
  • State included, uniqueness not required

Option III

(stateful)

FK n || h(M)

Tag

slide-32
SLIDE 32

WMAC Benefits

  • Fast, comparable to fastest WCS MACs
  • Nonce reuse
  • Sliding scale of security
  • Tags may be truncated safely
  • Tight security reduction
slide-33
SLIDE 33

WMAC tradeoffs

  • No partial precomputation
  • PRF must accept larger input (possible

extra computation)

  • Still has breaking point
  • Limiting incorrect verification queries is

important!

slide-34
SLIDE 34

Security Reduction

Bad things happen with (approximate) probability:

ǫ(α − 1)qs 2 + ǫ 2L−1

  • q2

v + qvqs

  • + 2ǫqv

qs - number of signing queries qv - number of verification queries L - tag length in bits α - max number of signing queries per nonce ǫ - of the ǫ-AU family used

slide-35
SLIDE 35

Security Reduction

Bad things happen with (approximate) probability:

ǫ(α − 1)qs 2 + ǫ 2L−1

  • q2

v + qvqs

  • + 2ǫqv

qs - number of signing queries qv - number of verification queries L - tag length in bits α - max number of signing queries per nonce ǫ - of the ǫ-AU family used Let α in {1, qs} for bound for {Option III, Option I}.

slide-36
SLIDE 36

Example Parameters

  • Truncated AES as PRF
  • VHASH from VMAC
  • Comparable speed to VMAC
  • After 232 queries, 224 forgery attempts, one

forgery is expected

ǫ ≤ 2−82, L = 24, α = 224 (8-bit counter value)

slide-37
SLIDE 37

Example Parameters

  • Truncated AES as PRF
  • VHASH from VMAC
  • Comparable speed to VMAC
  • After 232 queries, 224 forgery attempts, one

forgery is expected

ǫ ≤ 2−82, L = 24, α = 224 (8-bit counter value) Tag + counter

  • nly 32 bits
slide-38
SLIDE 38

Q&A