MAC Algorithms June 2013 Bart Preneel MAC algorithms MAC Algorithm Design and MAC Algorithm Design and Cryptanalysis: Basics Cryptanalysis: Basics Bart Preneel Bart Preneel KU Leuven - COSIC, Belgium KU Leuven - COSIC, Belgium firstname.lastname(AT)esat.kuleuven.be firstname.lastname(AT)esat.kuleuven.be Ice Break 2013 Ice Break 2013 June 2013 June 2013 Clear VER Clear Clear Clear MAC text IFY text text text 2 MAC = hash function with secret key MAC: Definition Message Authentication Code Where dips the rocky Where dips the rocky highland of Sleuth Wood highland of Sleuth Wood in the lake, There lies in the lake, There lies = hash function with secret key: a leafy island where a leafy island where flapping herons wake flapping herons wake the drowsy water-rats; the drowsy water-rats; 1. Description of h public there we’ve hid our there we’ve hid our faery vats, full of berries faery vats, full of berries and of reddest stolen and of reddest stolen 2. X arbitrary length ⇒ fixed length m (32 . . . 160 bits) cherries. Come away, o cherries. Come away, o human child! To the human child! To the 3. Computation of h K (X) “easy” given X and K 4. Computation of h K (X) “hard” given only X , even if a large number of MAC MAC K K pairs { X i , h K (X i ) } is known 239215682364 239215682364 • Calculation of h K (X) without knowledge of secret key: forgery (verifiable or not verifiable) 239215682364 = ? MAC: generic attacks Iterated MAC algorithms length extension: if one knows h(x), easy to compute h(x || y) without knowing x or IV 1. Guess MAC : ± same as for hash function IV H 1 H 2 H 3 = h(x) f f f — On-line verification only colliding — Not verifiable = x 1 x 2 x 3 MACs — Success probability max (1/2 m , 1/2 k ) IV H’ 1 H’ 2 H’ 3 = h(x’) f f f 2. Exhaustive key search : ± same as for block cipher x’ 1 x’ 2 x’ 3 — # X , h K (X) pairs ≈ k/m H 4 = h(x || y) — # attempts ≈ 2 k − 1 IV H 1 H 2 H 3 f f f f = 3. Birthday paradox on iterated MAC algorithms x 1 x 2 x 3 y Internal memory n bits; result m bits H’ 4 = h(x’ || y) IV H’ 1 H’ 2 H’ 3 (output transformation g ) f f f f Forgery after 2 n/2 known and ≤ 2 n − m chosen texts x’ 1 x’ 2 x’ 3 y 6
MAC Algorithms June 2013 Bart Preneel Collision attack on iterated MAC algorithms It. MAC algorithms with output transformation • Collision in MAC values leads to trivial forgery after 1 chosen text- H 3 H 4 IV H 1 H 2 f f f g MAC pair ≠ ? = — indeed: h(x) = h(x’) ⇒ h(x || y) = h(x’ ||y) x 1 x 2 x 3 H’ 3 H’ 4 IV H 1 H’ 2 • If an opponent queries h(x||y), he can forge h(x’ || y) f f f g • MAC value of m bits: need 2 m/2 known text-MAC pairs to find a x’ 1 x’ 2 x’ 3 MAC collision • If g is a injective (fewer input bit than output bits): — h(x) = H 4 = H’ 4 = h(x’) but it may be that H 3 ≠ H’ 3 • If H 3 ≠ H’ 3 the attack will likely fail: h(x || y) ≠ h(x’ || y) • Conclusion: attack requires that H 3 = H’ 3 ( internal collision ) 8 Collision attack on iterated MAC algorithms MAC based on a block cipher: CBC-MAC x 1 x 2 x t • Solution: simulate the first attack H 1 H t-1 H 2 … • For all MAC collisions (h(x) =h(x’)) also ask for h(x || y) and h(x’ ||y) G • If h(x || y) = h(x’ ||y), we have likely found an internal collision (a K 1 E K 1 E K 1 E collision for H 3 in our example) • Attack complexity: 2 n/2 known text-MAC pairs and 2 m-n chosen MAC K1 ( x ) text-MAC pairs • Standards (ANSI, ISO, IEC) • Proof of security by [Bellare-Kilian-Rogaway] • m = 32 . . . 64 bits • Special operation for last block is essential: EMAC, LMAC or CMAC (cf. infra) Based on a block cipher: CBC-MAC (3) Based on a block cipher: CBC-MAC (2) Security with DES: Security with AES-128: • Key search: 2 56 encryptions • Key search: 2 128 encryptions • Key recovery using lc: 2 43 known texts • Guess MAC: 1/2 m • Guess MAC: max(1/2 56 , 1/2 m ) • Birthday forgery attack: • Birthday forgery attack (even if triple-DES): — m = 128: 2 64 known and 1 chosen text — m = 64: 2 32 known and 1 chosen text — m = 64: 2 66 chosen texts — m = 32: 2 33 chosen texts • Improved attack for m = 64: 2 33 chosen texts and 2 known texts • Improved attack for m = 32: 2 17 chosen texts and 2 known texts [Knudsen97] [Knudsen97] Acceptable for most applications Much smaller than expected!
MAC Algorithms June 2013 Bart Preneel Exercises: CBC-MAC forgery MAC based on a block cipher: EMAC • simple CBC-MAC is not secure on message spaces of variable Better way to process last block: encrypted MAC (EMAC) length [RIPE’93][Petrank-Rackoff’98] — exercise: consider a 1-block input x consisting of n bits and assume x 1 x 2 x t that you know MAC K (x); show that it is possible to find the MAC for a H 1 H 2 H t-1 specific 2-block input … — exercise: consider two 1-block inputs x and x’ consisting of n bits and assume that you know MAC K (x) and MAC K (x’); show that it is K 1 E K 1 E K 1 E possible to find the MAC for a specific 2-block input K 2 E MAC K ( x ) MAC based on a block cipher: LMAC NIST: CMAC • Description: use simple CBC-MAC but An even better way to process last block: LMAC — Derive two keys from K 1 : K 2 = E K 1 (0) and K’ 2 is derived from K 2 with a [Handschuh-Preneel’06] simple finite field operation — XOR K 2 or K’ 2 to the last plaintext block (first choice if no padding, second x 1 x 2 x t choice if there is padding) H 1 H 2 H t-1 • Evaluation … — This saves 1 key schedule and 1 encryption (if the length of the plaintext is an exact multiple of the block length) K 1 E K 1 E K 2 E — Price to pay is robustness: K 2 and K’ 2 can be recovered with an internal collision attack — Banks send the value K 2 = E K 1 (0) as (public) key confirmation value! • Note on name MAC K ( x ) — This was called OMAC by its designers [Iwata-Kurosawa] — OMAC is an optimized version of TMAC which is an optimized version of XCBC [Black-Rogaway’00] MAC based on a block cipher: retail MAC Based on a block cipher: retail MAC (2) x 1 x 2 x t Security with DES and m = 64: H 1 H 2 H t-1 … • Key search: 2 112 encryptions G • Guess MAC: max(1/2 56 , 1/2 m ) K 1 E K 1 E K 1 E • (first attack is based on guessing K 1 ) H t = G’ • Birthday forgery attack: 2 32 known and 1 chosen text K 2 D • Improved key recovery [Preneel-van Oorschot-Knudsen] G’’ — 2 32.5 known texts and 3 • 2 56 off-line encryptions K 1 E — 1 known text + 2 56 MAC verifications + 2 57 off-line encryptions Solution: triple-DES in first and last round? MAC K ( x )
MAC Algorithms June 2013 Bart Preneel MAC based on a block cipher: Mac-DES (1) Based on a block cipher: Mac-DES (2) [Knudsen-Preneel’98] Security with DES and m = 64: x 1 x 2 x t • Key search: 2 112 encryptions H 1 H 2 H t-1 … • Guess MAC: max(1/2 112 , 1/2 m ) • Birthday forgery attack: 2 32 known and 1 chosen text K 1 E K 1 E K 1 E • Improved key recovery [Coppersmith-Mitchell-Knudsen2000]: H t — 2 48 chosen texts and 2 59 off-line encryptions K’ 2 D K 2 E Included in ISO/IEC 9797-1 (revision, 1999) MAC K ( x ) MAC: based on an MDC? HMAC • Secret prefix : h(K 1 ||x) • HMAC keys through the IV (plaintext) [Kim+’06] K 1 x — collisions for MD5 invalidate current security proof of HMAC-MD5 Prepend length to avoid that one can compute h(K 1 ||x||y) from h(K 1 ||x) — new attacks on reduced version of HMAC-MD5 and HMAC-SHA-1 without knowing K 1 • Secret suffix : h(x||K 2 ) x K 2 x K 1 Rounds in f2 Rounds in f1 Data complexity Off-line attacks on h 2 254 CP Haval-4 128 102 of 128 f 1 2 72 CP + 2 77 time • Envelope : h(K 1 ||x||K 2 ) MD4 48 48 K 1 x K 2 K 2 2 126.1 CP MD5 64 33 of 64 Risky: less secure than h f 2 2 51 CP & 2 100 time (RK) MD5 64 64 x K 1 • Better variants: 2 109 CP SHA-0 80 80 f 1 HMAC — MDx-MAC and H-MAC : 2 98.5 CP SHA-1 80 53 of 80 K 2 — h K (X) = h(h(K 1 ||x)||K 2 ) f 2 no problem yet for most widely used schemes GMAC: polynomial authentication code Information-theoretic authentication (NIST SP 800-38D 2007 + 3GSM) • keys K 1 , K 2 ∈ GF(2 128 ) Authentication codes (AC): unconditionally secure • input x: x 1 , x 2 , . . . , x t , with x i ∈ GF(2 128 ) = independent of computational power of opponent t x i • (K 2 ) i g(x) = K 1 + Σ i=1 • Research area since mid 1970s • in practice: compute K 1 = AES K (n) (CTR mode) • Widely believed to be impractical: • properties: — Use key only once — lightweight and/or fast in software and hardware (support from Intel/AMD) — Sometimes very large keys — not very robust w.r.t. nonce reuse, truncation, MAC verifications, due to — Security level against forgery is at most half the key size reuse of K 2 (not in 3GSM!) — efficient through reuse of fast arithmetic In 1990s series of new schemes: • (Intel/AMD) PCLMULQD: 10.68 cycles/byte [Käsper-Schwabe09] — weak keys [Saarinen11][Cid-Procter’13] Polynomial evaluation, Toeplitz, bucket hashing, MMH, UMAC,. . . — versions over GF(p) (e.g. Poly1305-AES) seem more robust
Recommend
More recommend