message authentication and cryptographic hashing
play

Message authentication and cryptographic hashing 2MMC10 Cryptology - PowerPoint PPT Presentation

Oct 31, 2023 •42 likes •262 views

Message authentication and cryptographic hashing 2MMC10 Cryptology Andreas H ulsing September 20, 2018 A. H ulsing 2MMC10 Cryptology 1 / 12 Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt,

  1. Message authentication and cryptographic hashing 2MMC10 Cryptology Andreas H¨ ulsing September 20, 2018 A. H¨ ulsing 2MMC10 Cryptology 1 / 12

  2. Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC , PRF-ENC , ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. A. H¨ ulsing 2MMC10 Cryptology 2 / 12

  3. Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC , PRF-ENC , ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. A. H¨ ulsing 2MMC10 Cryptology 2 / 12

  4. Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC , PRF-ENC , ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. A. H¨ ulsing 2MMC10 Cryptology 2 / 12

  5. Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC , PRF-ENC , ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. A. H¨ ulsing 2MMC10 Cryptology 2 / 12

  6. Message authentication codes (MAC) Definition (message authentication code) A message authentication code or MAC is a tuple of probabilistic polynomial-time algorithms MAC = ( Gen , Mac , Vrfy ) over a message space M , fulfilling the following: 1 Upon input 1 n , the algorithm Gen outputs a key k . The set of possible outputs of Gen is called the key space K . 2 The algorithm Mac receives as input a key k ∈ K and a message m ∈ M , and outputs a tag t ∈ T . The set of possible outputs of Mac is called tag space T . 3 The algorithm Vrfy receives as input a key k ∈ K , message m ∈ M , and tag t ∈ T , and outputs a bit b ∈ { 0 , 1 } . 4 Correctness: For every n , every k ← − Gen (1 n ), and every m ∈ M it holds that Vrfy k ( m , Mac k ( m )) = 1 . A. H¨ ulsing 2MMC10 Cryptology 3 / 12

  7. Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) -Experiment Experiment ( Exp EU − CMA ( n )) A , MAC 1 k ← Gen (1 n ) 2 ( m , t ) ← A Mac k ( · ) (1 n ) . Let { m i } q 1 denote A ’s queries to Mac k 3 if ( Vrfy k ( m , t ) := 1 , and m �∈ { m i } q 1 ) return 1 4 else return 0. A. H¨ ulsing 2MMC10 Cryptology 4 / 12

  8. Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) -Definition Definition (EU-CMA) A message authentication code MAC = ( Gen , Mac , Vrfy ) over a message space M is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all probabilistic polynomial-time adversaries A , there exists a negligible function negl such that: � � Exp EU − CMA Pr ( n ) = 1 ≤ negl ( n ) A , MAC A. H¨ ulsing 2MMC10 Cryptology 5 / 12

  9. Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) -Definition Definition (EU-CMA) A message authentication code MAC = ( Gen , Mac , Vrfy ) over a message space M is ( t , ε ) existentially unforgeable under an adaptive chosen-message attack, if for all t -time adversaries A � � Exp EU − CMA Pr ( n ) = 1 ≤ ε A , MAC A. H¨ ulsing 2MMC10 Cryptology 6 / 12

  10. Remarks There exists a constant time attack with success probability 1 / |T | against every MAC ⇒ Tags must not be too short MAC’s do not prevent replay attacks! Replay attacks have to be handled on protocol level (e.g., using sequence numbers). A. H¨ ulsing 2MMC10 Cryptology 7 / 12

  11. Remarks There exists a constant time attack with success probability 1 / |T | against every MAC ⇒ Tags must not be too short MAC’s do not prevent replay attacks! Replay attacks have to be handled on protocol level (e.g., using sequence numbers). A. H¨ ulsing 2MMC10 Cryptology 7 / 12

  12. PRF = MAC Theorem A ( t , ε ) -secure PRF F leads a ( t , ε ) -secure MAC with Gen (1 n ) returns k ← R { 0 , 1 } n . Mac k ( m ) returns t := F k ( m ) . Vrfy k ( m , t ) returns 1 if t = F k ( m ) , and 0 otherwise. Proof see board. A. H¨ ulsing 2MMC10 Cryptology 8 / 12

  13. CBC-MAC Construction Let F be an efficient, length-preserving keyed function over { 0 , 1 } n . CBC-MAC has message space M = ( { 0 , 1 } ℓ n ) . The algorithms are as follows: Gen (1 n ) returns k ← R { 0 , 1 } n . Mac k ( m ) upon input key k ∈ { 0 , 1 } n and a message m of length ℓ n, do the following: 1 Denote m = m 1 , . . . , m ℓ where each m i is of length n, and set t 0 = 0 n . 2 For i = 1 to ℓ , set t i ← F k ( t i − 1 ⊕ m i ) . 3 Output t ℓ . Vrfy k ( m , t ) returns 1 if t = Mac k ( m ) , and 0 otherwise. A. H¨ ulsing 2MMC10 Cryptology 9 / 12

  14. Variable message length CBC-MAC CBC-MAC is not secure for variable length messages Solutions for variable ℓ : Derived key: Compute k ′ = F k ( ℓ ) and use k ′ to compute t = Mac k ′ ( m ) Prepend length: Compute t = Mac k ( ℓ � m ). Encrypted tag: Use two keys k 1 , k 2 ∈ { 0 , 1 } n , compute t ′ = Mac k 1 ( m ) and output t = F k 2 ( t ′ ). We can generate k 1 , k 2 from a single key using F as a length-doubling PRG ( < k 1 , k 2 > = < F k (0) , F k (1) > ) A. H¨ ulsing 2MMC10 Cryptology 10 / 12

  15. Variable message length CBC-MAC CBC-MAC is not secure for variable length messages Solutions for variable ℓ : Derived key: Compute k ′ = F k ( ℓ ) and use k ′ to compute t = Mac k ′ ( m ) Prepend length: Compute t = Mac k ( ℓ � m ). Encrypted tag: Use two keys k 1 , k 2 ∈ { 0 , 1 } n , compute t ′ = Mac k 1 ( m ) and output t = F k 2 ( t ′ ). We can generate k 1 , k 2 from a single key using F as a length-doubling PRG ( < k 1 , k 2 > = < F k (0) , F k (1) > ) A. H¨ ulsing 2MMC10 Cryptology 10 / 12

  16. Padding What if the message length is not a multiple of the block length: | m | � = x · n ? Solution: Padding Expand message to match multiple of block length. Usually injective function Pad : { 0 , 1 } ∗ → ( { 0 , 1 } n ) ∗ . E.g., m → m � 10 ∗ . Properties depend on cryptographic application: Encryption - invertible MAC - injective Often used for additional purposes: Randomization, or encoding message length. A. H¨ ulsing 2MMC10 Cryptology 11 / 12

  17. Padding What if the message length is not a multiple of the block length: | m | � = x · n ? Solution: Padding Expand message to match multiple of block length. Usually injective function Pad : { 0 , 1 } ∗ → ( { 0 , 1 } n ) ∗ . E.g., m → m � 10 ∗ . Properties depend on cryptographic application: Encryption - invertible MAC - injective Often used for additional purposes: Randomization, or encoding message length. A. H¨ ulsing 2MMC10 Cryptology 11 / 12

  18. Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and EU-CMA security. Options: Encrypt-and-MAC: c = Enc k 1 ( m ) , t = Mac k 2 ( m ). MAC-then-Encrypt. t = Mac k 2 ( m ) , c = Enc k 1 ( m � t ). Encrypt-then-MAC. c = Enc k 1 ( m ) , t = Mac k 2 ( c ). A. H¨ ulsing 2MMC10 Cryptology 12 / 12

  19. Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and EU-CMA security. Options: Encrypt-and-MAC: c = Enc k 1 ( m ) , t = Mac k 2 ( m ). MAC-then-Encrypt. t = Mac k 2 ( m ) , c = Enc k 1 ( m � t ). Encrypt-then-MAC. c = Enc k 1 ( m ) , t = Mac k 2 ( c ). A. H¨ ulsing 2MMC10 Cryptology 12 / 12

  20. Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and EU-CMA security. Options: Encrypt-and-MAC: c = Enc k 1 ( m ) , t = Mac k 2 ( m ). Possibly insecure as MAC might leak! MAC-then-Encrypt. t = Mac k 2 ( m ) , c = Enc k 1 ( m � t ). Encrypt-then-MAC. c = Enc k 1 ( m ) , t = Mac k 2 ( c ). A. H¨ ulsing 2MMC10 Cryptology 12 / 12

  21. Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and EU-CMA security. Options: Encrypt-and-MAC: c = Enc k 1 ( m ) , t = Mac k 2 ( m ). Possibly insecure as MAC might leak! MAC-then-Encrypt. t = Mac k 2 ( m ) , c = Enc k 1 ( m � t ). Possibly insecure but counter-examples are more involved Encrypt-then-MAC. c = Enc k 1 ( m ) , t = Mac k 2 ( c ). A. H¨ ulsing 2MMC10 Cryptology 12 / 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Security Cryptography: Cryptographic Hash Functions And Message Authentication Code

Network Security Cryptography: Cryptographic Hash Functions And Message Authentication Code

Network Security Cryptography: Cryptographic Hash Functions And Message Authentication Code F033581 Topic 2: Hash Functions and 1 Message Authentication Readings for This Lecture Wikipedia Cryptographic Hash Functions Message

689 views • 25 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee Department of Computer Science University of Calgary March 4, 2020 Outline Password hashing 1 SHA-3 2 Design strategy Details MACs 3 Properties of

519 views • 39 slides
Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming

512 views • 48 slides
References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter

Message Authentication Codes (MACs) Message Authentication Codes (MACs) References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter 12 of Understanding Cryptography by Paar &amp; Pelzl Jim Royer Message

224 views • 3 slides
Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot

Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot

Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot retrieve the plain text Common hashes: md5 sha1 sha256 $password = hash (md5,$password); Better (though less common hash) Bcrypt

355 views • 18 slides
Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication Trusted Intermediaries Secure email pretty good privacy (PGP) 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key

427 views • 13 slides
Message authentication and digital signatures &quot; Message authentication verify that the

Message authentication and digital signatures &quot; Message authentication verify that the

Message authentication and digital signatures &quot; Message authentication verify that the message is from the right sender, and not modified (incl message sequence) &quot; Digital signatures in addition, non ! repudiation &quot; Two

439 views • 23 slides
Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer

Crypto Conclusion Message Authentication Codes Key Management Fall 2012 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming identity of

982 views • 46 slides
Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with

Quantum secure message authentication via blind-unforgeability Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song QCrypt 2018, Shanghai, China Message authentication Alice Bob m Message authentication Alice Bob

1.3k views • 68 slides
Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE

Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson/jme 1 OUTLINE Approaches to Message Authentication Secure Hash Functions (SHA) and Keyed- Hash Message Authentication Code (HMAC) Public-Key Cryptography

458 views • 29 slides
Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication Problem Bob Alice k k message M Eve is Active: Can alter messages Can insert new messages Authentication Problem Secrecy is not the only

553 views • 37 slides
Data Integrity &amp; Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity &amp; Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity &amp; Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice Bob (sender) (reciever) Fran (forger) Remark: Authentication

450 views • 31 slides
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity . Arnab Roy 1 and Tyge Tiessen 1 ) Technical University of Denmark 1 Royal Holloway, University of London 2 TU Graz 3 1 (joint work with Martin Albrecht

275 views • 26 slides
Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing? Distribute key/value pairs across bins with a hash function , Hashing Performance Hashing (Application of Probability) which maps elements from

497 views • 3 slides
Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem that suddenly arose when computers were invented - its as old as mankind. Data Security falls naturally into two cathegories: * Confidentiality

542 views • 16 slides
WHOLEHEARTED Digging Deeper to Broaden Our Reach WE WEAR THE MASK We Wear the Mask BY PAUL

WHOLEHEARTED Digging Deeper to Broaden Our Reach WE WEAR THE MASK We Wear the Mask BY PAUL

WHOLEHEARTED Digging Deeper to Broaden Our Reach WE WEAR THE MASK We Wear the Mask BY PAUL LAURENCE DUNBAR We wear the mask that grins and lies, It hides our cheeks and shades our eyes, This debt we pay to human guile; With torn and

421 views • 5 slides
VQL: P Providing Quer ery E Efficien ency a and Data A Authen enticity in B Bloc ockchai

VQL: P Providing Quer ery E Efficien ency a and Data A Authen enticity in B Bloc ockchai

VQL: P Providing Quer ery E Efficien ency a and Data A Authen enticity in B Bloc ockchai ain S System ems Zhe Pe Peng, Haot aotian Wu, Bin Xi Xiao ao, Songtao Guo Query Design Motivation Blockchain techniques (cryptocurrency,

495 views • 17 slides
Resources to Support the Families of Children with Autism During COVID Ann Sam, Ph.D. Jessica

Resources to Support the Families of Children with Autism During COVID Ann Sam, Ph.D. Jessica

Resources to Support the Families of Children with Autism During COVID Ann Sam, Ph.D. Jessica Dykstra-Steinbrenner, Ph.D. Getting to Know Us Ann Sam Jessica Dykstra Steinbrenner Acknowledgements The AFIRM (Autism Focused Intervention

788 views • 51 slides
Authentication of LZ77 compressed data Stefano Lonardi University of California, Riverside

Authentication of LZ77 compressed data Stefano Lonardi University of California, Riverside

Authentication of LZ77 compressed data Stefano Lonardi University of California, Riverside joint work with M. J. Atallah (Purdue U.) Problem Alice sends a document T to Bob She wants to make sure that what Bob receive is Alice

343 views • 15 slides
CSC421/2516 Lecture 3: Automatic Differentiation &amp; Distributed Representations Jimmy Ba

CSC421/2516 Lecture 3: Automatic Differentiation &amp; Distributed Representations Jimmy Ba

CSC421/2516 Lecture 3: Automatic Differentiation &amp; Distributed Representations Jimmy Ba Jimmy Ba CSC421/2516 Lecture 3: Automatic Differentiation &amp; Distributed Representations 1 / 49 Overview Lecture 2 covered the algebraic view of

1.02k views • 59 slides
1 3.1.1 Formal Properties and a little Remarks (III) Theory This definition of a MAS is

1 3.1.1 Formal Properties and a little Remarks (III) Theory This definition of a MAS is

3. Multi-agent systems (MAS) 3.1 Formal Definitions and Properties Multi-agent systems (MAS) are used to describe We can now refine our agent definition: several agents that interact with each other Definition : Agent in a MAS (positively,

85 views • 4 slides
Do Managers and Leaders Really Do Different Things? by John OLeary JUNE 20, 2016 Business

Do Managers and Leaders Really Do Different Things? by John OLeary JUNE 20, 2016 Business

8/6/2019 Do Managers and Leaders Really Do Different Things? LEADERSHIP Do Managers and Leaders Really Do Different Things? by John OLeary JUNE 20, 2016 Business people and business theorists love to draw distinctions between management

489 views • 4 slides

More recommend