CIS 5371 Cryptography 4a. Message Authentication Codes B

advertisement
CIS 5371 Cryptography
4a. Message Authentication Codes
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
1
Message Authentication
Codes
Encryption vs message authentication
• Different functionalities
ο€­ Encryption does not provide message
authentication!
• Encryption with stream ciphers
ο€­ For c ≔ 𝐺∞ (π‘˜) ⊕ π‘š one just needs to flip a bit
of the ciphertext.
• Encryption with block ciphers
ο€­ Same attack (flipping bits) works, only this
time blocks are affected.
2
Definition 4.2
Message Authentication Code
A message authentication code (MAC) is a tuple
(π†πžπ§, 𝐌𝐚𝐜, π•π«πŸπ²) such that:
•
π†πžπ§ takes input the security parameter 1𝑛 and outputs
a key π‘˜ with |π‘˜| ≥ 𝑛.
•
𝐌𝐚𝐜 takes as input a key π‘˜ and a message π‘š ∈ {0,1}∗
and outputs a tag 𝑑.
We write: 𝑑  Macπ‘˜ (π‘š) (the algorithm may be randomized).
•
π•π«πŸπ² takes as input a key π‘˜, a message π‘š ∈ {0,1}∗
and a tag 𝑑 and outputs a bit 𝑏: 𝑏 = 1 means valid,
while 𝑏 = 0 means π‘–π‘›π‘£π‘Žπ‘™π‘–π‘‘.
We write: 𝑏 :=Vrfy(π‘š, 𝑑).
3
Message authentication experiment
𝐌𝐚𝐜-𝐟𝐨𝐫𝐠𝐞(A,) (𝒏)
1.
2.
3.
A random key π‘˜ is generated running Gen 1𝑛 .
The adversary A is given input 1𝑛 and oracle access
to Maπ‘π‘˜ βˆ™ .
The adversary eventually outputs a pair π‘š, 𝑑 .
Let Q be the set of all queries A asked the oracle.
The output of the experiment i𝑠 1 if and only if
a.
Vrfπ‘¦π‘˜ π‘š, 𝑑 = 1, and
b. .π‘šοƒπ‘„.
4
Definition 4.3 -- Secure MAC
A message authentication code = (Gen, Mac, Vrfy)
is existentially unforgeable under adaptive chosen
message attack, or just secure, if for all probabilistic
polynomial-time adversaries 𝐴, there exists a
negligible function negl such that:
Pr[Mac-forge(A,) 𝑛 = 1] ≤ negl.
5
Construction 4.5
A fixed length MAC from any PRF
Let 𝐹 be a pseudorandom function. Define a fixed
length MAC on messages of length π‘š as follows:
• Gen: on input 1𝑛 choose π‘˜  {0,1}𝑛 uniformly at
random.
• Mac: on input a key π‘˜ οƒŽ {0,1}𝑛 and a message
π‘šοƒŽ{0,1}𝑛 , output tag
𝑑 ≔ πΉπ‘˜ π‘š .
(If π‘š ≠ |π‘˜| then output nothing.)
• Vrfy: on input a key π‘˜ οƒŽ {0,1}𝑛 and a message
π‘šοƒŽ{0,1}𝑛 , output 1 if and only if 𝑑 = πΉπ‘˜ π‘š .
(If π‘š ≠ |π‘˜| then output 0.)
6
Theorem 4.6
Let 𝐹 be a pseudorandom function.
Then Construction 4.3 is a fixed-length MAC
for messages of length n that is existentially
unforgeable under an adaptive chosen message
attack.
7
A secure fixed length MAC
Proof
Let A be a probabilistic polynomial time adversary.
Define:
πœ€ 𝑛 ≝ Pr[Mac-forge(A,) 𝑛 = 1]
Let Π be a MAC that is the same as Π = (Gen, Mac, Vrfy)
except that a truly random function 𝑓 is used instead of
a PRF πΉπ‘˜ .
Then
Pr[Mac-forge(𝐴,Π) 𝑛 = 1] = 2−𝑛 .
8
Distinguisher D
𝐷 is given access to an oracle O ∢ {0,1}𝑛 → {0,1}𝑛
1. Run A 1𝑛 : whenever A queries its MAC oracle on a
message π‘š, answer as follows:
• Query O with π‘š to get response 𝑑. Return t to A.
2. When A outputs (π‘š, 𝑑) at the end of its execution do:
a) Query O with π‘š to get 𝑑′.
b) If 𝑑 ′ = 𝑑 and A never queried its MAC oracle with π‘š
then output 1; else output 0.
9
Distinguisher D
If the oracle is a PRF then,
Pr π·πΉπ‘˜
βˆ™
1𝑛 = 1 = Pr[Mac−forge A, Π) 𝑛 = 1 = πœ€(𝑛)
If the oracle is a random function then,
Pr
𝐷𝑓 βˆ™
1𝑛
= 1 = Pr[Mac-forge 𝐴, Р𝑛 = 1] =
1
2𝑛
Therefore,
|Pr
𝐷 πΉπ‘˜ βˆ™
1𝑛
= 1 − Pr
𝐷𝑓 βˆ™
1𝑛
1
=1| ο‚£ πœ€ 𝑛 + 𝑛
2
10
Distinguisher D
Since 𝐹 is a PRF it follows that there is a negligible
function negl with
πœ€ 𝑛 + 2−𝑛 = negl 𝑛 .
and so πœ€ 𝑛 is negligible.
11
Replay attacks
MACs do not protect against replay attacks.
This is because the definition of a MAC does not
incorporate any notion of state in the verification
algorithm.
• Two common techniques for preventing replay attacks
involve the use of π‘ π‘’π‘žπ‘’π‘’π‘›π‘π‘’ π‘›π‘’π‘šπ‘π‘’π‘Ÿπ‘  and π‘‘π‘–π‘šπ‘’ π‘ π‘‘π‘Žπ‘šπ‘π‘ .
12
Construction 4.7
A variable length MAC
Let Π′ = (Gen′, Mac′, Vrfy′) be a fixed length MAC for messages
of length 𝑛. Define the MAC Π = (Gen, Mac, Vrfy) as follows:
• Gen: identical to Gen’.
• Mac: on input key π‘˜ οƒŽ {0,1}𝑛 and message π‘šοƒŽ{0,1}∗ of
length 𝑙 < 2 𝑛/4 parse π‘š = π‘š1 οƒ— οƒ— οƒ— π‘šπ‘‘ into blocks of
length 𝑛/4 and choose a random identifier π‘Ÿ in {0,1}𝑛/4 .
Compute 𝑑𝑖 ← Mπ΄πΆπ‘˜ ′ π‘Ÿ βˆ₯ 𝑖 βˆ₯ 𝑙 βˆ₯ π‘šπ‘– , for 𝑖 = 1, … , 𝑑, and
output 𝑑 ≔ (π‘Ÿ, 𝑑1 , … , 𝑑𝑑 )
• Vrfy: parse π‘š into 𝑑 blocks and re-compute the MAC.
Output 1 if and only if the answer is the same for all 𝑑𝑖 ,
𝑖 = 1, … , 𝑑, of the π‘Ÿ βˆ₯ 𝑖 βˆ₯ 𝑙 βˆ₯ π‘šπ‘– .
13
Theorem 4.6
If Π’ is a secure fixed length MAC for messages of
length 𝑛, then Construction 4.6 is a MAC that is
existentially unforgeable under an adaptive chosen
message attack.
14
Construction 4.9 Fixed length CBC-MAC
Let 𝐹 be a pseudorandom function. Fix a length function 𝑙.
The CBC-MAC construction is as follows:
• Gen: on input 1𝑛 choose π‘˜  {0,1}𝑛 uniformly at random.
• Mac: on input a key π‘˜ο‚¬{0,1}𝑛 and message π‘šοƒŽ{0,1}𝑙 𝑛 βˆ™π‘›
1. Parse π‘š = π‘š1 βˆ™βˆ™βˆ™ π‘šπ‘™ into blocks of length 𝑛, and set
𝑑0 ≔ 0𝑛 .
2. Compute 𝑑𝑖 ← πΉπ‘˜ 𝑑𝑖−1 οƒ… π‘šπ‘– , for 𝑖 = 1, … , 𝑙 .
Output 𝑑 ≔ 𝑑𝑙
• Vrfy: on input a key π‘˜  {0,1}𝑛 , a message π‘šοƒŽ{0,1}𝑛 ,
and a tag 𝑑 output 1 if and only if 𝑑 = MACπ‘˜ π‘š .
15
Theorem 4.10
Let 𝑙 be a polynomial.
If F is a pseudorandom function then Construction 4.9
is a fixed length MAC for messages of length 𝑙(𝑛) βˆ™ 𝑛
that is existentially unforgeable under an adaptive
chosen message attack.
16
CBC-MAC vs CBC-mode encryption
1. CBC-mode encryption uses a random IV.
If we use a random IV for CBS-MAC then we lose
security.
2. In CBC-mode encryption all encrypted blocks
are output as part of the ciphertext.
This is not the case with CBC-MAC.
If we do so we lose security.
17
CBC-MAC
π‘š1
πΉπ‘˜
π‘š2
π‘š3
οƒ…
οƒ…
πΉπ‘˜
πΉπ‘˜
𝑑
18
CBC-MAC – however …
π‘š0
πΉπ‘˜
π‘š1
π‘š2
π‘š3
οƒ…
οƒ…
οƒ…
πΉπ‘˜
πΉπ‘˜
πΉπ‘˜
𝑑
19
Secure CBC-MAC for variable
length messages – three options
1. Apply the pseudorandom function to the length 𝑙 of the
input message π‘š to get a key π‘˜π‘™, e.g. set π‘˜π‘™ ≔ πΉπ‘˜ (𝑙). Then
compute the CBC-MAC with this key.
2. Prepend the message π‘š with length |π‘š| and then
compute the basic CBC-MAC.
If we append π‘š instead of prepending it we lose
security.
3. Choose two keys π‘˜1 , π‘˜2 . Compute the CBC-MAC with the
first key to get 𝑑. The tag is 𝑑 ≔ πΉπ‘˜2 (𝑑).
20
Variable length CBC-MAC
|π‘š|
πΉπ‘˜
π‘š1
π‘š2
π‘š3
οƒ…
οƒ…
οƒ…
πΉπ‘˜
πΉπ‘˜
πΉπ‘˜
𝑑
21
Download