1 Message Authentication Codes Reading: Chapter 4 of Katz & Lindell 1

2 Message authentication • m Bob receives a message from Alice, he wants to know he message was (Data origin authentication) whether t e. really sent by Alic e message has been modified. (Data integrity) whether t h • Two solutions: (MAC) message authenti Alice attaches a code cation to the message (using a symmetri c key to compute the MAC). hes Or a u signat e attac sh to the message (using an re gnature asymmetric key to compute the si ). 2

3 Basic idea of MAC Message authentication protocol: • . 1. Alice and Bob share a secret key k s a tag : ( ) 2. To send a message , Alice compute MAC m m t = k , to Bob. and sends mt ) ( ′′ ′ ′ 3. On receiv , Bob checks whether ( ). , ing = MAC m m t t ( ) k therwise, he reje If so, he accepts the message; o cts it. code (MAC The tag is called a . t • ) message authentication mputat • ionally infeasible to forge a Security requirement: co k x MAC x he key . valid pair ( , ( )) without knowing t k 3

4 MAC Scheme (formal definition) , ): A MAC scheme is a triple ( , • Gen Mac Vrfy n Key generation algorithm: On input 1 , outputs n {0,1} . a key k ← u ut p Tag generation algorithm : On in Mac k a key and a message outputs a tag . We write ( ). ∈← , t t m M Mac Mac m k * () ln MM or {0,1} e space. Assume M {0,1} .) is the messag ( = = m Vrfy Verification algorithm k : On input a key , a essage , and m Vrfy t ning ) outputs 1 (mea a tag , algorithm id val = Vrfy m t inv id al ( , ) 0 or 1. ). or 0 ( k Vrfy Gen Mac is deterministic. , are probabilistic algorithms. • ∈∈ uirement: for every and , k K mM req Correctness , ( ) 1. Vrfy m Mac m = ) ( kk 4

5 is deterministic): Canon (used when ication ical verif Mac • 1 if ( ) t Mac m = k ( ,) Vrfy m t = k 0 otherwise () ln , the scheme is said to {0,1} If be M • = a MAC scheme for messag fixed-len es of le gt h ln ngth . () Fixed-length MAC schemes are easier to construct. • * • nstructed from {0,1} can be co = General MAC schemes for M chemes. h s fixed-lengt 5

6 Chosen-Message Attacks on MAC Schemes n ): Experiment MAC-Fo rge ( , Π A n 1. A key kG ← (1 ) is generated. n oracle access to ( ). A Mac ⋅ 2. The adversary is given inpu t 1 and k A for messages of its choice. may ask the oracle to compute tags Let be the set of all queries has made to the oracle. QA 3. event ually outputs a pair ( , ). A mt f e ( tries to g a valid pair of message and tag. or ) A ∉ = = 4. MAC-For m Q Vrfy m ge ( ) 1 A ( succeeds) if and ( , ) 1. n t Π k A , • Remarks: age attacker. Adversary: an adaptive chosen-mess forge tia ry . : an existen Forgery l 6

7 MAC security: existential unforgeability under an adaptive chosen-message attack Gen Mac Vrfy , , existentially Definition: A MAC scheme ( ) is e y ) secur adaptive chosen-message atta unforgeable ck under an mpl (or si A if for all polynomial-time adversaries , there exists a negligible function negl such that = ≤ negl n n ( ) 1 ( ) Pr MAC-Forge A , Π or ac M ) ( ⋅ nn k =←≤ Vrfy A k negl n 1 : P r 1 {0 , 1} ( ) ( ) ) ( ku where th e output of , ( , ), satisfies . A mt m Q ∉ 7

8 Strong MAC security If a MAC scheme is secure, the probabil ity is negligible that • . m Q mt A can forge a valid ( , ) with ∉ ′ ifferent A tt valid tag d However, it may be possible for to forge a ≠ • fo , where is the tag retur ∈ r some message m t mQ ned by the oracle on . ure strongly sec . • If no adversary is able to do so, the MAC scheme is To formally define strong security, mo a • dify the experiment s follows: ′ the oracle on ( , ) : , is the tag returned by Q . ∈ = Let m mt m Q t { } ′ ∉ succeeds if an only if it outputs A a valid pair ( , ) mt Q . cure". ⇔ is deterministic, then "secure" MAC • If " strongly se 8

9 Constructing secure MAC schemes • F Let be a pseudorandom function. • F hemes in several steps. We will use to construct secure MAC sc h n gt en h t fixed-leng MAC schemes for messages of l Secure n ln ⋅ Secure MAC schemes for messages of le ngth fixed-length ( ) th g messages Secure MAC schemes for arbitrary-len • n s a multiple of . For simplicity, assume message length i .) do padding to make this assumption true ys lwa (We can a 9

10 n = M {0,1} Secure MAC schemes for • F Let be a pseudorandom function. • n length : Fixed-length MAC scheme for messages of nn ← k Key generation: On input 1 , {0,1} . u nn ∈ ∈ km t {0,1} and message {0,1} , ration: On inpu Tag gene = t Fm output the tag : ( ). k = Fm t 1 if ( ) k = mt Vrfy mt Verification: On input ( , ), ( , ) : k e rwis 0 othe • Theorem: Such a MAC scheme is secure. 10

11 Basic CBC-MAC • F Let be a pseudorandom function. • Basic CBC-MAC works as follows: n ← k Key generation: {0,1} . u n nq ⋅ ∈∈ km {0,1} an Tag generation: For key {0,1} , d message = mmm m q se as ( , , ) // blocks // − par q 1 n m −= IV apply CBC to with 0 , i.e., let n ≤≤ i q t Fm t = = ⊕ t : 0 and : ) for 1 ( ki i i − 01 − t output as the tag q nical Verification: can o • Theorem: For any length function , bas fixe d l ic CBC-MAC is secure ength ) (. nln ⋅ for messages of l 11

12 Remarks It is important that ( ) is fixed, or t he scheme would be insecure. t IV • 0 • Also, the scheme variab insecure . if message length is would be le ′ m m t Mac m t Mac m = = ( and : ) ( : Suppose ). 123 4 kk ′′ . Let be such that m tm m ⊕= 44 4 ′ ′ = ) . Then ( t m Mac m mm k 1 4 23 n = 0 IV 12

13 CBC-MAC for arbitrary-length messages A FIPS and ISO standard. • There are several variants of CBC- MAC. • One variant of CBC-MAC: Prepend the message with its length (as an -bit string) m mn • an d then compute basic CBC-MAC on the result. Remarks: • . There is a limitation on m mm is appended to the end of . It would be insecure if 13

14 14

15 Another variant of CBC-MAC n kk Generate two keys , {0,1} . •← 12 u • m To authenticate a message , let the tag be = m tF : basic-CBC-MAC ( ) . ( ) kk 21 kk • One may use only one key and generate , from : kk 2 1 = (1) and : (2) = : kF k F 12 kk 15

16 h) Security of CBC-MAC (for arbitrary lengt CBC-MAC is secure if is a pseudorando ction. Theo m fun F : rem In practice, block ciphers (such as DES , AES) are used. • 16

17 Authenticated Encryption To ensure both secrecy and integrity 17

18 Unforgeable encryption • n ( ) : Experiment Enc-Forge Π , A n Gen (1 ) to obtain a key . k Run n Enc ss to oracle ⋅ ( ), A The adversary is given 1 and acce k and outputs a ciphertext c . () . Let be the set of all messages that = D e m cc : QA Let k on. has asked the oracle for encrypti A ( succeeds) if and only if The output of the experiment is 1 ) an is a valid m essage ( ∈ m mQ d . m ∉ M An encryption scheme ( , • ) is Π= Definition: unforgeab l Gen Enc Dec , e ( ) 1 A n negl n ( ). if for every , Pr Enc-Forge = ≤ A Π , 18

19 Authenticated encryption scheme • d on: Definiti icate hent ut a n A symmetric-key encryption scheme is a forgeable. un e and encryption scheme if it is CCA-secur ption scheme from a • ncry authenticated e We will construct an trongly secure MAC scheme. CPA-secure encryption scheme and a s • Three natural ways: Encrypt and authenticate (insecure) e) cur e Authenticate then encrypt (ins Encrypt then authenticate (secure) • sage, an encryption key, In the following slides, let be a mes mk E a MAC key. k and M 19

20 Encrypt and Authenticate m pendently. That is, • Sender: encrypt and authenticate inde ct the ciphertext is where , t Mac () c Enc m ←← (), m kk EM • ct Receiver: given ciphertext , , do ( ), and then check if ( , ) 1. ←= m t Vrfy c Dec m kk EM • Security: re, since might leak info about . Not necessarily EAV-secu tm Mac hen the scheme If is deterministic (e.g., CBC-MAC), t is not CPA- secure . 20

21 Authenticate then Encrypt ncrypt and the tag. Sender: authenticate first and then e • mm : Thus, the ciphertext is computed as c ( ), ( ) t Mac m c Enc m t ←← kk ME Receiver: given ciphert ext , do • c ( ) and then check if ( , ) 1. Dec ←= m t Vrfy c m t kk EM A potential attack: • Suppose PKCS#5 padding is used. Suppos e the receiver does: p if the adding is incorrect then return a "bad padding" error the tag is incorrect retur n a "bad mac" error. elsei f th en t he en The padding attack can be conducted to r i ecover . t re mt 21

22 Encrypt then Authenticate m • Sender: encrypt first and then authenticate the result. Thus, where the ciphertext is , t c ( ), ( ) m t Mac c ←← Enc c kk EM ( ). ( , ) 1 then f Receiver: on receiving , , i ← = c Dec m c t rfy • tV c kk ME If the encryption scheme is and the M AC CPA-secure em: or The • scheme is strongly secure thenticate , then the encryption-then-au ction te cons yields authe an tru ntica scheme. d e ncrypti on y secure MAC CPA-secure encryption + strongl CCA-secure and unforgeabl ncry e e ption ⇒ 22

SCRIE TENANTS LIST ~ By Docket Number ~ Borough of Bronx SCRIE in the last year; it includes tenants that have a lease expiration date equal or who have received • This report displays information on ...

More info »THE EARLY STAGES IN OF THE FISHES CALIFORNIA CURRENT REGION CALIFORNIA FISHERIES COOPERATIVE OCEANIC INVESTIGATIONS ATLAS NO. 33 BY THE SPONSORED STATES OF COMMERCE DEPARTMENT UNITED OCEANIC AND ATMOS...

More info »U.S. DEPARTMENT OF TRANSPORTATION ORDER FEDERAL AVIATION ADMINISTRATION 7400.11C JO Air Traffic Organization Policy August 13, 2018 SUBJ: Airspace Designations and Reporting Points . This O rder, publ...

More info »STATE OF NEW YORK 2 0 1 9 T E N T A T I V E A S S E S S M E N T R O L L PAGE 1 VALUATION DATE-JUL 01, 2018 COUNTY - Niagara T A X A B L E SECTION OF THE ROLL - 1 CITY - North Tonawanda TAX MAP NUMBER ...

More info »U:\2019CONF\HJRes31Front.xml APPRO. SEN. [COMMITTEE PRINT] REPORT { } CONGRESS 116TH 1st HOUSE OF REPRESENTATIVES Session 116- FURTHER APPROPRIATIONS FOR MAKING CONTINUING OF HOMELAND SECURITY FOR THE...

More info »Sample page from NUMERICAL RECIPES IN C: THE ART OF SCIENTIFIC COMPUTING (ISBN 0-521-43108-5) Permission is granted for internet users to make one paper copy for their own personal use. Further reprod...

More info »APD Issued 2017-1.5 Manual Policy 7/20/2017 Austin Police Department Policy Manual CHIEF'S MESSAGE I am proud to present the newest edition of the Austin Police Department Policy Manual. The Policy Ma...

More info »C HERMODYNAMICS HEMICAL T OMPOUNDS AND C OMPLEXES OF OF C U, Np, Pu, Am, Tc, Se, Ni and Zr O ELECTED WITH RGANIC L IGANDS S Wolfgang Hummel (Chairman) Laboratory for Waste Management Paul Scherrer Ins...

More info »UNITED STAT ES DIS TRICT COURT IC F OR THE D ISTR T OF CO LU M BIA UNITED STAT F AMERICA, : ES O : : la in t if f, P 99 No. on cti l A vi Ci : 96 (GK) -24 : and : TOBACCO-F UND, : REE KIDS ACTION F : ...

More info »Table of Contents National Board Pressure Relief Device Certificati ons NB-18 FOREWARD... 1 NATIONAL BOARD PRESSURE RELIEF DEVICE CERTIFICATION... 2 DETERMINATION OF CERTIFIED RELIEVING CAPACITIES... ...

More info »HANDBOOK of METAL ETCHANTS Editors Perrin Walker William H. Tarn CRC Press Boca Raton Boston London New York Washington, D.C. © 1991 by CRC Press LLC

More info »D E A R T M E N T O F D E F E N S E P N A L O F W A R M A W U A L J U N E 2 0 1 5 O F F I C E O F G E N ER A L C O U N S E L D P A R T M E N T E O F D E F E N S E

More info »MPI : A Message-Passing Interface Standard Version 3.0 Message Passing Interface Forum September 21, 2012

More info »Guidance on the Application of the CLP Criteria – July 2017 1 Version 5.0 G U I D A N C E Guidance on the Application of the CLP Criteria Guidance to Regulation (EC) No 1272/2008 on classification, la...

More info »California Contractors License Law & Reference Book 2018 Edition With Rules and Regulations Contractors State License Board State of California Edmund G. Brown, Jr., Governor

More info »131 STAT. 135 PUBLIC LAW 115–31—MAY 5, 2017 * Public Law 115–31 115th Congress An Act Making appropriations for the fiscal year ending September 30, 2017, and for May 5, 2017 other purposes. [H.R. 244...

More info »201 8 Fourth National Report on Human Exposure to Environmental Chemicals U pdated Tables, March 2018 , Volume One

More info »