800 likes | 944 Views
Cryptography. Lecture 5 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net. Plan. Introduciton to authentica tion CBC-MAC Introduction to the collision-resistant hash functions NMAC and HMAC Authentication + Encryption. Message Authentication. Integrity:. M. Alice. Bob.
E N D
Cryptography Lecture 5Stefan Dziembowskiwww.dziembowski.net stefan@dziembowski.net
Plan • Introduciton to authentication • CBC-MAC • Introduction to the collision-resistant hash functions • NMAC and HMAC • Authentication + Encryption
Message Authentication Integrity: M Alice Bob interferes with the transmission How can Bob be sure that M really comes from Alice?
Sometimes: more imprtant than secrecy! transfer 1000 $ to Bob transfer 1000 $ to Eve Alice Bank Of course: usually we want both secrecy and integrity.
Does encryption guarantee message integrity? Idea: • Alice encrypts m and sends c=Enc(k,m) to Bob. • Bob computes Dec(k,m), and if it “makes sense” accepts it. Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext. It does not work! Example: one-time pad. “Eve” xor “Bob” plaintext transfer 1000 $ to Bob transfer 1000 $ toEve key K xor ciphertext C
Message authentication verifies if t=Tagk(m) (m, t=Tagk(m)) m Alice Bob k k Eve can see (m, t=Tagk(m)) She should not be able to compute a valid tag t’ on any other message m’.
Message authentication – multiple messages m1 (m1, t=Tagk(m1)) m2 (m2, t=Tagk(m2)) . . . . . . Alice Bob mt (m1, t=Tagk(mt)) k k Eve should not be able to compute a valid tag t’ on any other message m’.
Message Authentication Codes – the idea m є {0,1}* (m, t=Tagk(m)) Vrfyk(m)є {yes,no} Alice Bob k k Gen(1n) 1n
Message Authentication Codes A message authentication code (MAC) is a tuple (Gen,Mac,Vrfy) of poly-time algorithms, such that • thekey-generationalgorithm Gen takes as input a security parameter 1n and outputs a keyk, • thetagging algorithm Mactakes as input a key kand a message mє{0,1}*and outputs a tagt, • the verification algorithm Vrfytakes as input a key k, a message m and a tag t, and outputs a bit b є {yes, no}.If Vrfyk(m,t) = yesthen we say that tis a valid tag on the messagem. If Mac is deterministic, then Vrfyjust computes Macand compares the result.
Correctness We require that it always holds that: Vrfyk(m,Mack(m)) = yes What remains is to define securityof a MAC.
How to define security? We need to specify: • how the messages m1,...,mt are chosen, • what is the goal of the adversary. Good tradition: be as pessimistic as possible! Therefore we assume that • The adversary is allowed to chose m1,...,mt. • The goal of the adversary is to produce a valid tag on some m’ such that m’ ≠m1,...,mt.
security parameter 1n selects randomk = Gen(1n) m1 adversary (m1, t=Tagk(m1)) oracle . . . mt (m1, t=Tagk(m1)) • We say that the adversary breaks the MAC schemeat the end she outputs (m’,t’) such that • Vrfy(m’,t’) = yes • m’ ≠m1,...,mt
The security definition We say that (Gen,Mac,Vrfy) is secure if A P(A breaks it) is negligible (inn) polynomial-timeadversary A
Aren’t we too paranoid? [1/2] No! Sometimes the adversary may have influence on the messages that the parties are sending. (remember the story about Midway?) Another example: routing (m, t=Tagk(m)) k k m t
Aren’t we too paranoid? [2/2] Maybe it would be enough to require that: the adversary succeds only if he forges a message that “makes sense”. (e.g.: forging a message that consists of random noise should not count) Bad idea: • hard to define, • is application-dependent.
(m, t) (m, t) (m, t) This problem has to be solved by the higher-level application (methods: time-stamping, sequence numbers...). Warning: MACs do not offer protection against the “replay attacks”. (m, t) Alice Bob Since Vrfyhas no state (or “memory”) there is no way to detect that (m,t) is not fresh! . . .
Constructing a MAC • There exist MACs that are secure even if the adversary is infinitely-powerful.(we discussed them on the first lecture)These constructions are not practical. • MACs can be constructed from the block-ciphers. We will now discuss to constructions: • simple (and not practical), • a little bit more complicated (and practical) – a CBC-MAC • MACs can also be constructed from the hash functions (NMAC, HMAC).
A simple construction from a block cipher Let F : {0,1}n× {0,1}n → {0,1}n be a block cipher. We can now define a MAC scheme that works only for messages m ε {0,1}n as follows: • Gen(1n) simply chose a random key from {0,1}n. • Mac(k,m) = F(k,m) It can be proven that it is a secure MAC. How to generalize it to longer messages? F(k,m) k Fk m
Idea 1 • divide the message in blocksm1,...,md • and authenticate each block separately F(k,m1) F(k,md) Fk Fk . . . m1 md This doesn’t work!
What goes wrong? m: t = Tagk(m): perm m’ = perm(m): t’ = perm(t): Then t’ is a valid tag on m’.
Idea 2 Add a counter to each block. F(k,x1) F(k,xd) Fk Fk . . . m1 1 md d x1 xd This doesn’t work either!
mi i xi m: t = Tagk(m): m’ = a prefix of m: t’ = a prefix of t: Then t’ is a valid tag on m’.
Idea 3 Add l := |m| to each block F(k,x1) F(k,xd) Fk Fk . . . m1 l 1 md l d x1 xd This doesn’t work either!
m1 l 1 xi m: m’: What goes wrong? t = Tagk(m): t’ = Tagk(m’): m’’= first half from m|| second half from m’ t’’ = first half from t || second half from t’ Then t’’ is a valid tag on m’’.
Idea 4 Add a fresh random value to each block! F(k,x1) F(k,xd) Fk Fk . . . r md l d r md l d x1 xd This works!
tagk(m) r F(k,x1) F(k,x2) F(k,xd) Fk Fk Fk . . . . . . r l 1 m1 r l 2 m2 r l d md x2 x1 xd . . . r is chosen randomly m1 m2 md m 000 n – block length l |mi| = n/4 pad with zeroes if needed
This construction can be proven secure Theorem Assuming that F : {0,1}n× {0,1}n → {0,1}n is a pseudorandom permutation the construction from the previous slide is a secure MAC. Proof idea: Suppose it is not a secure MAC. Let A be an adversary that breaks it with a non-negligible probability. We construct a distinguisher D that distinguishes F from a random permutation.
This construction is not practical Problem: The tag is 4 times longer than the message... We can do much better!
CBC-MAC F : {0,1}n× {0,1}n → {0,1}n- a block cipher Gen just chooses a random key k←{0,1}n. tagk(m) Fk Fk Fk Fk Fk . . . |m| m1 m2 m3 md m 0000 pad with zeroes if needed Other variants exist!
tagk(m) Fk Fk Fk Fk Fk . . . |m| m1 m2 m3 md Why is this needed? Suppose we don’t prepend |m|...
t1=tagk(m1) t2=tagk(m2) the adversarychooses: Fk Fk m1 m2 t’= tagk(m’) t1 Fk Fk t’ = t2 now she can compute: m1 m2xor t1 m’
Some practictioners don’t like the CBC-MAC We don’t want to authenticate using the block ciphers! What do you want to use instead? Hash functions! Why? • Because: • they are more efficient, • they are not protected by the export regulations.
Collision-resistant hash functions short H(m) a hash function H : {0,1}* → {0,1}L longm colision-resistance a “collision” Requirement: it should be hard to find a pair (m,m’) such that H(m) =H(m’)
Collisions always exist domain m range m’ Since the domain is larger than the range the collisions have to exist.
Hash functions – an example of an application a voice phone link H(m) a long message m Bob Alice a fast insecure link (e.g. internet) If Bob can recognize Alice’s voice then the integrity of m is guranteed.
Another example FileF can be downloaded by an insecure connection. If we can learn H(F)in a secure way, we can verify authenticity of F.
Hash functions are a bit simillar to the error-correcting codes Difference between the hash functions and the error correcting codes: • error-correcting codes are secure against the random errors. • collision-resistant hash functions are secure against the intentional errors. A bit like: pseudorandom generators vs. cryptographic pseudorandom generators.
“Practical definition” H is a collision-resistant hash function if it is “practically impossible to find collisions in H”. Popular hash funcitons: • MD5 (now cosidered broken) • SHA1 • ...
How to formally define “collision resitance”? Idea Say something like: H is a collision-resistant hash function if A P(A finds a collision in H) is small efficientadversary A Problem For a fixed H there always exist a constant-time algorithm that “finds a collision in H” in constant time. It may be hard to find such an algorithm, but it always exists!
Solution When we prove theorems we will always consider families of hash functions indexed by a key s. {Hs} s є keys
informal description: “knows H” a protocol H H H formal model: s is chosen randomly a protocol s Hs Hs Hs
informal description: “knows H” a protocol H H H H real-life implementation (example): “knows SHA1” a protocol SHA1 SHA1 SHA1
Hash functions – the functional definition A hash function is a pair of probabilistic polynomial-time algorithms (Gen,H) where • Gen takes as input a security parameter 1nand outputs a key s. • H takes as input a key s and a message x є {0,1}* and outputs a string Hs(x)є {0,1}L(n), where L(n) is some fixed function.
Hash functions – the security definition [1/2] 1n s ← Gen(1n) s outputs (m,m’) We say that adversary A breaks the function (Gen,H) if Hs(m) = Hs(m’).
Hash functions – the security definition [2/2] (Gen, H) is a collision-resistant hash function if A P(A breaks (Gen,H)) is negligible polynomial-timeadversary A
A common method for constructing hash functions • Construct a “fixed-input-length” collision-resistant hash functionCall it: a collision-resistant compression function. • Use it to construct a hash function. L h(m) h : {0,1}2·L→ {0,1}L m 2·L
h h h pad with zeroes if needed An idea t m 0000 . . . m1 m2 mB miє {0,1}L . . . IV H(m) can be arbitrary This doesn’t work...
Why is it wrong? t m 0000 . . . m1 m2 mB If we set m’ = m || 0000 then H(m’) = H(m). Solution: add a block encoding “t”. t m 0000 . . . m1 m2 mB mB+1 := t
h h h h Merkle-Damgård transform given h : {0,1}2L→ {0,1}Lwe construct H : {0,1}*→ {0,1}L doesn’t need to be know in advance (nice!) t m 0000 m1 m2 mB mB+1 := t miє {0,1} L . . . IV H(m)
This construction is secure We would like to prove the following: Theorem If h : {0,1}2L→ {0,1}L is a collision-resistant compression function then H : {0,1}*→ {0,1}L is a collision-resistant hash function. But wait…. It doesn’t make sense…