1 / 9

Authenticating with Block Ciphers

Authenticating with Block Ciphers. CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk. Message Authentication Codes (MAC). A keyed checksum of the message. Sender of a message m computes c = MAC K (M) and sends (M,c) to the receiver.

quinta
Download Presentation

Authenticating with Block Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authenticatingwith Block Ciphers CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk Message Auth. Codes

  2. Message Authentication Codes (MAC) • A keyed checksum of the message. • Sender of a message m computes c = MACK(M) and sends (M,c) to the receiver. • Receiver also computes c' = MACK(M). If c' = c the message is accepted. • Example applications: • protecting files on an OS against modification • authentication of routing messages Message Auth. Codes

  3. MACs (cont’d) • A MACed message is not necessarily encrypted. • MAC function doesn’t need to be invertible. • MAC keys are symmetric. Hence, doesn’t provide non-repudiation. (unlike digital signatures) • Security of a MAC: An attacker shouldn’t be able to generate a valid (M', c') pair, even after seeing many valid message-MAC pairs possibly of his choice (i.e. by a chosen message attack). Message Auth. Codes

  4. MAC from a Block Cipher How to obtain a MAC from a block cipher? Suggestion: • divide message into blocks • compute a checksum by adding (or xoring) them • encrypt the checksum with the block cipher Is this construction secure? • If the message is not encrypted? • If the message is encrypted? Message Auth. Codes

  5. CBC-MAC • Raw CBC-MAC: • Compute the CBC over the message with IV = 0. • The last output block is the MAC • Q: Why not a random IV? Other alternatives: • ECB? • OFB/CTR? • CFB? Message Auth. Codes

  6. CBC-MAC (cont.) • Theorem: When defined over some specified-length input message (of n blocks) {0,1} n x ℓ→ {0,1} ℓ raw CBC-MAC is provably secure, given that the underlying block cipher is secure. • But it is insecure if used for variable-length messages • Given the MAC of 1-block m, c = MACK(m),attacker can compute MACK(m || mc). (How?) • Many similar attacks are also possible. Message Auth. Codes

  7. Encrypted CBC-MAC • Two keys (K, K1). Do one additional encryption on the final block with K1: y = CBC-MACK(M) c = EK1(y) • Theorem: ECBC-MAC is provably secure, given that the underlying block cipher is secure. Message Auth. Codes

  8. CBC-MAC Padding • How to MAC a message whose length is not a multiple of the block size ℓ ? • Padding with all 0s? No! (why not?) • Append a 1, and then pad with 0s. • Do this even if the message length is already a multiple of ℓ. (why?) • Basic Idea: Two distinct messages M and M' should remain distinct after the padding too. Message Auth. Codes

  9. CMAC • A modification of CBC-MAC to dispense with • the final encryption step, and • the addition of a dummy padding block. • Three keys (K, K1, K2) – can be derived from K. • To MAC a message M = (m1||m2||…||mn), take • m'n = mn K1, if mn is a complete block • m'n = (mn || 10…0)  K2, if mn is not a complete block • The MAC is the raw CBC-MAC c = CBC-MACK(m1||m2||…||mn-1||m'n) • Standard CBC-MAC in pratice. Recommended by NIST. Message Auth. Codes

More Related