References Message Authentication Codes (MACs) Message - - PowerPoint PPT Presentation

references message authentication codes macs
SMART_READER_LITE
LIVE PREVIEW

References Message Authentication Codes (MACs) Message - - PowerPoint PPT Presentation

Jun 25, 2023 193 likes •225 views

Message Authentication Codes (MACs) Message Authentication Codes (MACs) References Message Authentication Codes (MACs) Message Authentication Codes (MACs), Chapter 12 of Understanding Cryptography by Paar & Pelzl Jim Royer Message

slide-1
SLIDE 1

Message Authentication Codes (MACs)

Message Authentication Codes (MACs)

Jim Royer

Introduction to Cryptography

October 4, 2018

Crypto | Introduction to Cryptography | October 4, 2018 1 / 9 Message Authentication Codes (MACs)

References

”Message Authentication Codes (MACs),” Chapter 12 of Understanding Cryptography by Paar & Pelzl Message Authentication Code from Wikipedia https: //en.wikipedia.org/wiki/Message_authentication_code

Crypto | Introduction to Cryptography | October 4, 2018 2 / 9 Message Authentication Codes (MACs)

The Altered Page, An Alice, Bob, and Oscar Story

Alice Clicks on a link on Bob’s bookstore website to check on a price. Bob Sends the webpage (not encrypted). ... however ... Oscar Intercepts the webpage, replaces the price by a random number, and ships Alice the resulting webpage. Alice Looks at the price and probably shops at Amazon instead. How to fix this?

Crypto | Introduction to Cryptography | October 4, 2018 3 / 9 Message Authentication Codes (MACs)

Fixing the Altered Page Problem

Some Options

Encrypting the page. (O’s trick may still work: Encrypted random ≡ random.) Have Bob sign the page. (Better, but a bit expensive.) Use a message authentication code (MAC), which is part of what is going on when the padlock symbol shows up in your browser.

Crypto | Introduction to Cryptography | October 4, 2018 4 / 9

slide-2
SLIDE 2

Message Authentication Codes (MACs)

MACs

Uses a shared symmetric key. For the MAC alg., think a fast hash function. For O’s trick to work, he has to find a valid MAC based

  • n both:

(i) O’s message & (ii) A&B’s secret key.

Image from: https://en.wikipedia.org/wiki/Message_authentication_code

Crypto | Introduction to Cryptography | October 4, 2018 5 / 9 Message Authentication Codes (MACs)

MACs: Capabilities & Limitations

✔ Message Integrity Alice can check if Oscar has altered a (message+MAC) from Bob. ✔ Message Authentication Alice can check if a (message+MAC) really is from Bob. ✘ Nonrepudiation

Alice and Bob go to court about a disagreement on a contract. Alice has (m + MAC). She claims m is the contract Bob sent. Bob disagrees. BUT, because of the shared key, a judge can’t tell if Alice is truthful or if she constructed m and computed the MAC. Moral: Use a signature scheme if you need nonrepudiation.

Crypto | Introduction to Cryptography | October 4, 2018 6 / 9 Message Authentication Codes (MACs)

MACs from Hash Functions

Basic Idea

Pick a cryptographic hash function (e.g., SHA-2) and hash (the key + the message)

Two (too) simple approaches

(See P&P, §12.2 for attack details.)

secret prefix MAC: m = MACk(x) = h(k||x)

|| = string concat. Attack: Making use of the “structure of common hash functions,” you can add a final block to the message without knowing the key.

secret suffix MAC: m = MACk(x) = h(x||k)

Attack: Making use of the “structure of common hash functions,” if Oscar can a hash collision, i.e., h(m) = h(mO), then the MAC for m with key k = the MAC for h(mO) + key k.

Idea #3: Double hash

Crypto | Introduction to Cryptography | October 4, 2018 7 / 9 Message Authentication Codes (MACs)

HMAC: Bellare, Canetti, and Krawczyk (1996)

HMACk(x) // x = x1|| . . . ||xn each xi is a block k+ ← k||0 . . . 0 ipad ← 00110110|| . . . ||00110110

  • pad ← 01011100|| . . . ||01011100

// k+, ipad, opad are all block-sized hash1 ← h((k+ ⊕ ipad)||x1|| . . . ||xn) hash2 ← h((k+ ⊕ opad)||hash1) return hash2 A block is something like 160 or 256 many bits. ipad is 00110110 repeated.

  • pad is 01011100 repeated.

Computing hash2 is cheap since h’s input is short.

Theorem (Bellare, Canetti, and Krawczyk, 1996)

Informally: If an opponent can construct valid HMACs for messages, then that opponent can break the cryptographic hash function h.

  • Proof. Mercifully omitted.

∴ the hash function, h, is secure =

⇒ HMAC is secure.

Crypto | Introduction to Cryptography | October 4, 2018 8 / 9

slide-3
SLIDE 3

Message Authentication Codes (MACs)

MACs from Block Ciphers

Suppose e is the AES encryption function. (So the block size is 128 bits.) CipherBlockChainingMACk(x)

// x = x1|| . . . ||xn each xi is a block IV ← 128 random bits // a nonce y1 ← ek(x1 ⊕ IV) yi ← ek(xi ⊕ yi−1) for i = 2, . . . , n. return yn

nonce ≡ number you use once.

Crypto | Introduction to Cryptography | October 4, 2018 9 / 9