mac ske in practice
play

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary - PowerPoint PPT Presentation

May 22, 2023 •521 likes •2.08k views

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them

  1. (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K (M) F K Output length of F K should be big enough

  2. (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K (M) F K Output length of F K should be big enough If an adversary forges MAC with probability ε MAC , then can break PRF with advantage O( ε MAC — 2 -m(k) ) (m(k) being the output length of the PRF) [How?]

  3. (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K (M) F K Output length of F K should be big enough If an adversary forges MAC with probability ε MAC , then can break PRF with advantage O( ε MAC — 2 -m(k) ) Advantage in (m(k) being the output length of the PRF) [How?] breaking a PRF F: diff in prob a test has of outputting 1, when given F vs. truly random R

  4. (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K (M) F K Output length of F K should be big enough If an adversary forges MAC with probability ε MAC , then can break PRF with advantage O( ε MAC — 2 -m(k) ) Advantage in (m(k) being the output length of the PRF) [How?] breaking a PRF F: diff in prob a test has of If random function R used as MAC, then outputting 1, when probability of forgery, ε MAC* = 2 -m(k) given F vs. truly random R

  5. MAC for Multiple-Block Messages

  6. MAC for Multiple-Block Messages What if message is longer than one block?

  7. MAC for Multiple-Block Messages What if message is longer than one block? MAC’ing each block separately is not secure (unlike in the case of CPA secure encryption)

  8. MAC for Multiple-Block Messages What if message is longer than one block? MAC’ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks

  9. MAC for Multiple-Block Messages What if message is longer than one block? MAC’ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks Could use a PRF that takes longer inputs

  10. MAC for Multiple-Block Messages What if message is longer than one block? MAC’ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks Could use a PRF that takes longer inputs Can we use a PRF with a fixed block-length (i.e., a block cipher)?

  11. MAC for Multiple-Block Messages

  12. MAC for Multiple-Block Messages A simple solution: “tie the blocks together”

  13. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number

  14. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i )

  15. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t )

  16. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t ) r prevents mixing blocks from two messages, t prevents dropping blocks and i prevents rearranging

  17. MAC for Multiple-Block Messages A simple solution: “tie the blocks together” Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t ) r prevents mixing blocks from two messages, t prevents dropping blocks and i prevents rearranging Inefficient! Tag length increases with message length

  18. CBC-MAC

  19. CBC-MAC PRF domain extension: Chaining the blocks

  20. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 ⊕ ⊕ ... F K F K F K T

  21. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K T

  22. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K t-block messages, a single block tag T

  23. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K t-block messages, a single block tag T Can be shown to be secure

  24. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K t-block messages, a single block tag T Can be shown to be secure If restricted to t-block messages (i.e., same length)

  25. CBC-MAC PRF domain extension: Chaining the blocks m 1 m t m 2 cf. CBC mode for encryption (which ⊕ ⊕ is not a MAC!) ... F K F K F K t-block messages, a single block tag T Can be shown to be secure If restricted to t-block messages (i.e., same length) Else attacks possible (by extending a previously signed message)

  26. Patching CBC-MAC

  27. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is):

  28. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks

  29. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks

  30. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible

  31. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K’ (T), where K’ is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori.

  32. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K’ (T), where K’ is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks.

  33. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K’ (T), where K’ is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks. NIST Recommendation. 2005

  34. Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K’ (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K’ (T), where K’ is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks. NIST Recommendation. 2005 Later: Hash-based HMAC used in TLS and IPSec IETF Standard. 1997

  35. SKE in Practice

  36. Stream Ciphers

  37. Stream Ciphers Used for one-time encryption

  38. Stream Ciphers Used for one-time encryption RC4, eSTREAM portfolio, ...

  39. Stream Ciphers Used for one-time encryption RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs

  40. Stream Ciphers Also used to denote the random nonce chosen for Used for one-time encryption encryption using a block-cipher RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs

  41. Stream Ciphers Also used to denote the random nonce chosen for Used for one-time encryption encryption using a block-cipher RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption

  42. Stream Ciphers Also used to denote the random nonce chosen for Used for one-time encryption encryption using a block-cipher RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption But often breaks if used this way

  43. Stream Ciphers Also used to denote the random nonce chosen for Used for one-time encryption encryption using a block-cipher RC4, eSTREAM portfolio, ... In practice, stream ciphers take a key and an “IV” (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption But often breaks if used this way NIST Standard: For multi-message encryption, use a block- cipher in CTR mode

  44. Block Ciphers

  45. Block Ciphers DES, 3DES, Blowfish, AES, ...

  46. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions

  47. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions Permutations that can be inverted with the key

  48. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence

  49. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence But should withstand known attacks

  50. Block Ciphers DES, 3DES, Blowfish, AES, ... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence But should withstand known attacks As a PRP (or at least, against key recovery)

  51. Feistel Network

  52. Feistel Network Building a permutation from a (block) function

  53. Feistel Network Building a permutation from a (block) function Let f: {0,1} m → {0,1} m be an arbitrary function

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline A brief tour of practice diversity Its everywhere you look! Is practice diversity

Outline A brief tour of practice diversity Its everywhere you look! Is practice diversity

5/30/2014 I think Medicine has Practice diversity: What does it mean when everybody does it differently? 1. Too much practice diversity 2. Just enough practice diversity 3. Not enough practice diversity Avery Tung, M.D. FCCM Quality Chief

816 views • 24 slides
Micropipetting Doing it the correct way Practice, practice, practice! Why Take the Time to

Micropipetting Doing it the correct way Practice, practice, practice! Why Take the Time to

Micropipetting Doing it the correct way Practice, practice, practice! Why Take the Time to Practice? Micropipetting is the foundation to many future experiments Correct pipetting insures correct volumes which creates a greater chance

544 views • 19 slides
VIRTUAL ARCHITECTURAL PRACTICE - AN ALTERNATE REALITY PRODUCED BY AIA PMKC + AIA TRUST 1.5

VIRTUAL ARCHITECTURAL PRACTICE - AN ALTERNATE REALITY PRODUCED BY AIA PMKC + AIA TRUST 1.5

Peter S. Macrae, AIA SPEAKERS: VIRTUAL PRACTICE FRAMEWORK Charles R. Heuer, Esq, FAIA MANAGING RISK WHEN RUNNING A VIRTUAL PRACTICE Kevin J. Collins, RPLU, Associate AIA CHALLENGES TO PROFESSION AND PRACTICE IN A VIRTUAL PRACTICE Lira Luis,

630 views • 37 slides
Communities of Practice Contents Communities of Practice Why and How? Proposed

Communities of Practice Contents Communities of Practice Why and How? Proposed

COP1.1 Establishing Communities of Practice Contents Communities of Practice Why and How? Proposed Thematic Streams Next Steps Community of Practice What and Why? Theory - A community of practice is a group of practitioners

431 views • 6 slides
MA Creative Practice DR Sam Broadhead SFHEA MA Creative Practice course Leader MA Creative

MA Creative Practice DR Sam Broadhead SFHEA MA Creative Practice course Leader MA Creative

MA Creative Practice DR Sam Broadhead SFHEA MA Creative Practice course Leader MA Creative Practice A Masters level course drawing upon the specialist provision, community of practice and expertise available at Leeds College of Art. Focused

788 views • 32 slides
Best practice in lipid management Delivering best practice: 5 Steps / Interactive Case Study

Best practice in lipid management Delivering best practice: 5 Steps / Interactive Case Study

Best practice in lipid management Delivering best practice: 5 Steps / Interactive Case Study Dr Chris Harris & Dr Youssef Beaini Chair: Jean Hayhurst In association with Heart UK MAKING BEST PRACTICE EVERYDAY PRACTICE Bold and

915 views • 70 slides
Good Practice Department Victoria Heath 2 April 2014 What is good practice? What the DPA

Good Practice Department Victoria Heath 2 April 2014 What is good practice? What the DPA

Information Commissioners Office Good Practice Department Victoria Heath 2 April 2014 What is good practice? What the DPA says? Good practice is defined as such practice for processing personal data as appears to be desirable.

854 views • 12 slides
Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit. Theory alone can bring forth and develop the spirit of inventions Louis Pasteur, 1822-1895 Practice : It is a capital mistake to theorize before

548 views • 42 slides
Presentation Practice education in the context of agency practice models: the implications for

Presentation Practice education in the context of agency practice models: the implications for

Presentation Practice education in the context of agency practice models: the implications for practice education and the commodification of social work knowledge . Tom Wilks Approaches to theory A specific theoretical orientation A

437 views • 20 slides
Take away for today: Know the format! Judge from the positive! Practice, Practice,

Take away for today: Know the format! Judge from the positive! Practice, Practice,

3/19/2018 2018 Hippology/Horse Bowl/Judging Clinic Amanda Thompson 4-H and PAS Judge Take away for today: Know the format! Judge from the positive! Practice, Practice, Practice! 1 3/19/2018 What is the purpose of oral

279 views • 7 slides
Best Practice Wool Scouring Dr. Jock Christoe Best Practice - Definition Make a profit by

Best Practice Wool Scouring Dr. Jock Christoe Best Practice - Definition Make a profit by

Best Practice Wool Scouring Dr. Jock Christoe Best Practice - Definition Make a profit by producing a product in an environmentally sustainable way that is acceptable to the customer at the lowest possible cost Factors Affecting Best Practice

643 views • 35 slides
Setting up your own Practice Members in Practice Morning Holiday Inn Kensington Forum 21 June

Setting up your own Practice Members in Practice Morning Holiday Inn Kensington Forum 21 June

Setting up your own Practice Members in Practice Morning Holiday Inn Kensington Forum 21 June 2014 John A W Lawrenson MIoEE Business Consultant SFEDI Accredited Setting up your own Practice Agenda Support for Start Up Businesses

416 views • 27 slides
Doctor of Nursing Practice (DNP) Program College of Nursing Background Practice-Focused

Doctor of Nursing Practice (DNP) Program College of Nursing Background Practice-Focused

Curricular Recommendations Doctor of Nursing Practice (DNP) Program College of Nursing Background Practice-Focused doctoral programs in nursing are designed to prepare experts in specialized advanced practice nursing(AACN, 2006).

742 views • 9 slides
Good Clinical Practice Sarah Temkin, MD What is Good Clinical Practice? Good Clinical

Good Clinical Practice Sarah Temkin, MD What is Good Clinical Practice? Good Clinical

Good Clinical Practice Sarah Temkin, MD What is Good Clinical Practice? Good Clinical Practice (GCP) is an international ethical and scientific standard for conducting biomedical and behavioral research involving human participants. The

599 views • 20 slides
ALL TEACHERS CAN PRACTICE AND ACT AS CONSULTANTS FOR FREE OR FOR A FEE: THE CASE OF LAW PRACTICE BY

ALL TEACHERS CAN PRACTICE AND ACT AS CONSULTANTS FOR FREE OR FOR A FEE: THE CASE OF LAW PRACTICE BY

ALL TEACHERS CAN PRACTICE AND ACT AS CONSULTANTS FOR FREE OR FOR A FEE: THE CASE OF LAW PRACTICE BY LAW TEACHERS 1 Abdulkarim A. Kana Ph.D* A Paper presented at the 2015 Annual General Conference of the Nigerian Bar Association (NBA) on the 25 th

564 views • 25 slides
Presentation of Best Practice-1 1. Title of the Practice : Timely Examinations and Publication of

Presentation of Best Practice-1 1. Title of the Practice : Timely Examinations and Publication of

Presentation of Best Practice-1 1. Title of the Practice : Timely Examinations and Publication of Results sticking to the Academic Calendar prepared at the beginning of the Academic Session. 2 . Goal : The practice of following the academic

61 views • 3 slides
Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics,

Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics,

Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics, Statistics and Computer Science University of KwaZulu-Natal Pietermaritzburg Campus Semester 1, 2013 Tong-Viet (UKZN) MATH236 Semester 1, 2013 1 /

993 views • 62 slides
Cryptography [Symmetric Encryption] Fall 2017 Franziska (Franzi) Roesner

Cryptography [Symmetric Encryption] Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli,

224 views • 18 slides
Advanced Encryption Standard

Advanced Encryption Standard

Advanced Encryption Standard 1 Advanced Encryption Standard (AES) Advanced Encryption Standard (AES) 1997 NIST call for candidate larger key size (bits): 128, 192, 256

645 views • 40 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 07: Several One-Key Block Ciphers Outline of this Lecture One-key

622 views • 24 slides
Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original

Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original

IN3210/4210 Network and Communications Security Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original message/data ciphertext (C)- coded message/data cipher - algorithm for transforming

672 views • 17 slides
Computer Communication Networks Security IECE / ICSI 416 Spring 2020 Prof. Dola Saha 1

Computer Communication Networks Security IECE / ICSI 416 Spring 2020 Prof. Dola Saha 1

Computer Communication Networks Security IECE / ICSI 416 Spring 2020 Prof. Dola Saha 1 Properties and Threat Models Secrecy/Confidentiality Can secret data be leaked to an attacker? Integrity Can the system be modified by the

735 views • 40 slides
A Simple Power Analysis Attack on the TwoFish Key Schedule Jose Javier Gonzalez Ortiz May 5,

A Simple Power Analysis Attack on the TwoFish Key Schedule Jose Javier Gonzalez Ortiz May 5,

A Simple Power Analysis Attack on the TwoFish Key Schedule Jose Javier Gonzalez Ortiz May 5, 2016 University of Michigan Introduction Cryptography Basics securely communicate Cryptography allows us to information with other parties.

543 views • 29 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides

More recommend