Message Authentication Codes (MACs) Message Authentication Codes (MACs) References Message Authentication Codes (MACs) ”Message Authentication Codes (MACs),” Chapter 12 of Understanding Cryptography by Paar & Pelzl Jim Royer Message Authentication Code from Wikipedia https: Introduction to Cryptography //en.wikipedia.org/wiki/Message_authentication_code October 4, 2018 Crypto | Introduction to Cryptography | October 4, 2018 1 / 9 Crypto | Introduction to Cryptography | October 4, 2018 2 / 9 Message Authentication Codes (MACs) Message Authentication Codes (MACs) The Altered Page, An Alice, Bob, and Oscar Story Fixing the Altered Page Problem Alice Clicks on a link on Bob’s bookstore website to check on a price. Some Options Bob Encrypting the page. (O’s trick may still work: Encrypted random Sends the webpage (not encrypted). ≡ random.) Have Bob sign the page. (Better, but a bit expensive.) ... however ... Use a message authentication code (MAC) , which is part of what is Oscar Intercepts the webpage, replaces the price by a random going on when the padlock symbol shows up in your browser. number, and ships Alice the resulting webpage. Alice Looks at the price and probably shops at Amazon instead. How to fix this? Crypto | Introduction to Cryptography | October 4, 2018 3 / 9 Crypto | Introduction to Cryptography | October 4, 2018 4 / 9
Message Authentication Codes (MACs) Message Authentication Codes (MACs) MACs MACs: Capabilities & Limitations ✔ Message Integrity Uses a shared Alice can check if Oscar has altered a (message+MAC) from Bob. symmetric key. For the MAC alg., ✔ Message Authentication think a fast hash Alice can check if a (message+MAC) really is from Bob. function. For O’s trick to ✘ Nonrepudiation work, he has to find Alice and Bob go to court about a disagreement on a contract. a valid MAC based Alice has ( m + MAC ) . She claims m is the contract Bob sent. on both: Bob disagrees. (i) O’s message & (ii) A&B’s secret key . BUT, because of the shared key, a judge can’t tell if Alice is truthful or if she constructed m and computed the MAC . Image from: https://en.wikipedia.org/wiki/Message_authentication_code Moral: Use a signature scheme if you need nonrepudiation. Crypto | Introduction to Cryptography | October 4, 2018 5 / 9 Crypto | Introduction to Cryptography | October 4, 2018 6 / 9 Message Authentication Codes (MACs) Message Authentication Codes (MACs) MACs from Hash Functions HMAC: Bellare, Canetti, and Krawczyk (1996) HMAC k ( x ) Basic Idea // x = x 1 || . . . || x n each x i is a block A block is something like Pick a cryptographic hash function (e.g., SHA-2) k + ← k || 0 . . . 0 160 or 256 many bits. and hash (the key + the message) ipad ← 00110110 || . . . || 00110110 ipad is 00110110 repeated. opad ← 01011100 || . . . || 01011100 // k + , ipad , opad are all block-sized opad is 01011100 repeated. hash 1 ← h (( k + ⊕ ipad ) || x 1 || . . . || x n ) Two (too) simple approaches (See P & P, § 12.2 for attack details.) hash 2 ← h (( k + ⊕ opad ) || hash 1 ) Computing hash 2 is cheap m = MAC k ( x ) = h ( k || x ) secret prefix MAC : || = string concat. since h ’s input is short. return hash 2 Attack: Making use of the “structure of common hash functions,” you can add a final block to the message without knowing the key. Theorem (Bellare, Canetti, and Krawczyk, 1996) m = MAC k ( x ) = h ( x || k ) secret suffix MAC: Informally: If an opponent can construct valid HMACs for messages, then Attack: Making use of the “structure of common hash functions,” that opponent can break the cryptographic hash function h . if Oscar can a hash collision, i.e., h ( m ) = h ( m O ) , then the MAC for m with key k = the MAC for h ( m O ) + key k . Proof. Mercifully omitted. ∴ the hash function, h , is secure = Idea #3: Double hash ⇒ HMAC is secure. Crypto | Introduction to Cryptography | October 4, 2018 7 / 9 Crypto | Introduction to Cryptography | October 4, 2018 8 / 9
Message Authentication Codes (MACs) MACs from Block Ciphers Suppose e is the AES encryption function. (So the block size is 128 bits.) CipherBlockChainingMAC k ( x ) // x = x 1 || . . . || x n each x i is a block IV ← 128 random bits // a nonce y 1 ← e k ( x 1 ⊕ IV ) y i ← e k ( x i ⊕ y i − 1 ) for i = 2, . . . , n . return y n nonce ≡ n umber you use once . Crypto | Introduction to Cryptography | October 4, 2018 9 / 9
Recommend
More recommend
