• No results found

Message authentication

N/A
N/A
Protected

Academic year: 2021

Share "Message authentication"

Copied!
10
0
0

Loading.... (view fulltext now)

Full text

(1)

Message authentication

-- Hash based MAC functions

-- MAC functions based on block ciphers -- Authenticated encryption

(c) Levente Buttyán (buttyan@crysys.hu)

Secret prefix method

MAC

k

(x) = H(k|x)

– insecure !

• assume an attacker knows the MAC on x: M = H(k|x)

• he can produce the MAC on x’|y as M’ = f(M,y), where x’ is x with padding and f is the compression function of H

y | padding’ M’ = MACk(x’|y) f k | x1 CV0 f x2 f xL| padding M f

(2)

Message authentication 3

A similar mistake

MAC

k

(x) = H

k

(x)

where Hk(.) is H(.) with CV0= k y | padding’ M’ = MACk(x’|y) f x1 K f x2 f xL| padding M f

Secret suffix method

MAC

k

(x) = H(x|k)

– insecure if H is not collision resistant

• using a birthday attack, the attacker finds two inputs x and x’ such that H(x) = H(x’) (can be done off-line without the knowledge of k)

• then obtaining the MAC M on one of the inputs, say x, allows the attacker to forge a text-MAC pair (x’, M)

– weaknesses

• MAC depends only on the last chaining variable • key is involved only in the last step

k | padding M f x1 x’1 CV0 f x2 x’2 f xL x’L H(x) = H(x’) f …

(3)

Message authentication 5

Envelop method

MAC

K

(x) = H(k|x|k)

– a key recovery attack has been discovered on this scheme (requiring

264text-MAC pairs for MD5 with 128-bit key)

– although, not really practical, the attack still represents an architectural flaw

HMAC

HMACk(x) = H( (k+⊕ opad) | H( (k+⊕ ipad) | x ) )

where

– h is a hash function with input block size b and output size n – k+is k padded with 0s to obtain a length of b bits

– ipad is 00110110 repeated b/8 times – opad is 01011100 repeated b/8 times

k+ipad CV0 f x1 f xL|padding1 f CV1inner … k+opad CV0 f M|padding2 f CV1outer HMACk(x) H H

(4)

Message authentication 7

Encrypted hash

MAC

K

(x) = E

K

(H(x))

– off-line search for messages with colliding MAC values is possible here without the knowledge of k Æ H must be collision resistant ! – collision resistant hash functions usually have larger output size than

the block size of the block cipher Æ which mode to use to encrypt the hash?

– two messages having the same hash value will have the same MAC value under all keys

CBC-MAC

– CBC MAC is secure for messages of a fixed number of blocks

– forgery is possible if variable length messages are allowed

E x1 k + E x2 k + E x3 k + E xN| 100… cN k + 0 cN-1 … c1 c2 c3 E-1 E k’ k CBC MAC op tion al

(5)

Message authentication 9

A known-text forgery

ƒ

given two text-MAC pairs (x, M) and (x’, M’), a third valid

text-MAC pair can be computed as follows:

(x | 100… | x’

1

⊕ M | x’

2

| … | x’

L

, M’)

E x1 k + k E xN| 100… cN= M k + 0 cN-1 c1 E x’1+ M + k c’2 E x’L| 100… c’L= M’ k + c’L-1

A chosen-text forgery

ƒ

given a known text-MAC pair (x

1

, M

1

)

ƒ

request MAC for M

1

, receive M

2

= E

k

(M

1

⊕ 0) = E

k

(M

1

)

ƒ

M

2

is the MAC of the message (x

1

|0)

E last block of x1 k + E 0 k + M1 Ek(M1) E k + M1 0 Ek(M1)

(6)

Message authentication 11

Another chosen-text forgery

ƒ

given two known text-MAC pairs: (x

1

, M

1

), (x

2

, M

2

)

ƒ

request MAC for message x

1

|M

1

⊕M

2

⊕z, where z is an

arbitrary block

ƒ

receive M

3

= E

k

(M

1

⊕M

2

⊕z⊕M

1

) = E

k

(M

2

⊕ z)

ƒ

M

3

is also the MAC for message x

2

|z

E last block of x2 k + E z k + … M2 E k(z⊕M2) = M3 E last block of x1 k + E M1⊕M2⊕z k + … M1 M3= Ek(M2⊕z)

How to use CBC-MAC in practice?

ƒ

use the optional final encryption

– reduces the threat of exhaustive key search (key is (k, k’) Æ key length is doubled)

– prevents the previously presented existential forgeries

– has marginal overhead (only last block is encrypted multiple times)

ƒ

prepend the message with a block containing the length of

the message before the MAC computation

ƒ

use k to encrypt the length and obtain k’ = E

k

(length), and

use k’ as the MAC key (i.e., use message dependent MAC

keys)

(7)

Message authentication 13

CMAC

ƒ

proposed to fix problems with CBC-MAC

E x1 k + E x2 k + E xN| 100… CMACk(x) k + 0 … cN-1 c1 c2 k’ computed from Ek(0)

Authenticated encryption schemes

ƒ simultaneously protect the confidentiality and the integrity of a message

ƒ motivations:

– to prevent chosen-ciphertext attacks (such as the Vaudenay attack)

• the decryption oracle immediately recognizes improperly constructed ciphertexts and refuses to decrypt them

• attacker can construct a correct ciphertext only if he already knows the plaintext Æ decryption oracle becomes useless

– efficiency (in some cases)

• needs fewer operations if the message is encrypted and the authentication tag is computed in a single pass

ƒ approaches:

– specialized schemes (e.g., XCBC, OCB, CCM)

– combine “regular” encryption and MAC functions (but be careful !)

• Ek1(x, MACk2(x)) (check for padding oracle attack !) • Ek1(x), MACk2(x) (check for padding oracle attack !)

(8)

Message authentication 15

CCM mode

ƒ

CCM means CTR mode and CBC-MAC

– (two pass) authenticated encryption mode – integrity protection is based on CBC-MAC – encryption is based on CTR mode

– the same block cipher and key is used for both operations

ƒ

inputs:

– K – key

– N – nonce (should not repeat for a given key K) – m – message to be protected

– a – additional data to be authenticated only (e.g., message header)

ƒ

outputs:

– encrypted message

– encrypted authentication tag (MAC value)

CCM – computing the authentication tag

ƒ

first block B

0

:

ƒ

next blocks containing a:

ƒ

next blocks containing m:

. . . B1 B2 Bx 00…0 encoding(length(a)) || a . . . Bx+1 Bx+2 Bn 00…0 m message length MAC length: 2*M+2

(9)

Message authentication 17

CCM – computing the authentication tag

ƒ

given B

0

, B

1

, …, B

n

:

X1ÅEK(B0)

Xi+1ÅEK(Xi+ Bi) for i = 1, 2, …, n

T Å first-M-bytes(Xn+1)

output T as the MAC value

CCM – encryption

ƒ

the key stream blocks are computed as

SiÅEK(Ci) for i = 0, 1, 2, …

where C

i

is formatted as:

ƒ

the first length(m) octets of S

1

, S

2

, … are XORed to m to

produce the ciphertext

ƒ

S

0

is used to encrypt the authentication tag:

(10)

Message authentication 19

CCM – notes

ƒ security

– level of confidentiality and authenticity is in-line with other proposed authenticated encryption modes, e.g., OCB

– encryption of the authentication tag T for avoiding MAC collision attacks (attacker gets no information about the CBC-MAC results)

– same key for MAC and encryption? No problem…

• E essentially never gets the same input (Ci’s are very likely different from Bi’s)

• an intermediate value in the CBC-MAC computation may collide with a Ci, but those values cannot be

observed, and they affect only T which is encrypted

ƒ efficiency

– two pass processing, but …

– blocks used by the authentication function match up the blocks used by the encryption function

ƒ nonce selection

– nonce values should be unique within the scope of a key

• nonce can be a sequence number

– otherwise a pre-computation attack would be possible

• assume that the key is 128 bits long • choose a particular nonce N0

• choose 264key, and for each K store (K, S 1)

• when a genuine message with N0is sent, guess the first 16 octets of the plaintext (usually higher layer header

fields) and compute S1’

• look-up S1’ in the table (you will find it with large probability due to the birthday paradox), the corresponding K’

value is the key

Summary

ƒ

naïve hash based MAC constructions are usually not secure

ƒ

better to use standard, well-studied constructions, e.g.,

HMAC

ƒ

CBC-MAC is interesting, because it does not need a hash

function, but it can use the same block cipher that is used for

encryption, anyway

ƒ

existential forgeries against CBC-MAC exist, but there are

countermeasures

– e.g., prepending additional context data such as message length to the message, multiple encryption of the last block, etc.

ƒ

authenticated encryption modes have some advantages

– efficiency: the two goals may be achieved in a single pass – security: no information is leaked through a padding oracle

References

Related documents

focused on optimal spectral estimation of general scene reflectance using an optimization procedure based on a color chart, whereas we specifically design our two

Solving the semantic interoperability problem of metadata schemas by using a primitive event-based knowledge representation scheme was one of the ma- jor challenges in creating the

This is not an unbiased estimate of the causal treatment effect, so in Section 5, we re-analyse the REFLUX dataset to obtain a CACE of the cost- effectiveness outcomes, recognising

RESEARCH DESIGN AND METHODS d In a cross-sectional study we used logistic regression models to investigate the temporal relationship between access to generic antihyper-

12. In all of the alternative cases, we feel that generally the changes are still fair. A mortgage with a Standard Variable Rate would be expected to fluctuate, and while we feel

Based on Bill Hewlitt’s truism that “you cannot manage what you cannot measure”, one element of the work carried out with our client was to review their current mechanisms for

Moreover, it has been found during interviews that in case of an abnormality in the foetus the decision regarding the continuation of pregnancy is rarely taken jointly by all

Hell would give anything in this world to be me or you, back in this life, with one more chance to cry out, “God forgive me!” If we come to that dark Valley of Death with unrepented