Lecture 5 - MAC Flashcards
(18 cards)
What is the motivation behind Message Authentication Code?
How can receiver Bob be sure that the message m came from sender Alice and wasn’t intercepted and/or altered by an attacker? The goal is to preserve confidentiality and integrity of messages.
What does MAC consist of?
MAC consists of 3 algorithms
Gen - Key Generation
Mac - Tagging algorithm
Vrfy - Verification algorithm
What does MAC consist of by definition?
A message authentication code (MAC) is a tuple (Gen, Mac, Vrfy) where
Gen - Probabilistic key generation algorithm that on input 1^n returns k <– K with |k| >= n
Mac - Tag algorithm that on input k and m ∈ M returns t ∈ T. We write t <– Mac(k,m)
Vrfy - Deterministic verification algorithm that on input of a key k, a message m and tag t, outputs a bit b
For each k and m it holds:
Vrfyk(m, Mac(k,m)) = 1
When is t a valid tag?
If Vrfyk(m,t) = 1 holds, then we call t a valid tag for the message m.
If MAC is deterministic, than Vrfy works as follows:
- Compute t’ = Mac(k,m)
- Output 1 if t’=t, otherwise output 0
In this case Vrfy does not need to be defined, so called canonical verification
Explain the MAC security game
- The attacker picks some messages and sends them
- Oracle calculates tag and sends back
- Attacker analyzes and attempts to create a new message and send a tag with it (forged by the attacker)
- If the message isn’t the original message, and the tag is valid (verify re-calculates it), oracle returns 1 otherwise 0
A MAC is secure if:
for all probabilistic polinomial time (efficient) attackers A there exists a negl() such that, the probability the attacker forges a valid MAC is less than or equal to negl(n)
Name different kinds of MACs
- Information-theoretically secure MACs
- However, these constructions are not efficient for authentication of many messages - Complexity-theoretically secure MACs
- For messages of fixed length
- For messages of arbitrary length (theoretical construction)
- For messages of arbitrary length (practical construction): e.g. CBC-MAC and HMAC
Explain Information-theoretically secure MACs and give an example
There exists no adversary A who can generate a valid tag for message m without knowing the key k
Example (one-time MACs):
Given a valid message/tag pair (m,t), it is difficult for an unbounded adversary to create another valid pair (m’,t’)
Construction:
- Let p be a prime number and Zp the natural numbers modulo p
- Let be M = T = Zp and K = Zp x Zp
- Secret key (a,b) ∈ K
- Mac(k,m) = a x m + b
Explain Complexity-Theoretical MACs for fixed length messages.
Construction idea: F: K x Y –> Y be a PRF. Define the construction 𝜫 = (𝐆𝐞𝐧, 𝐌𝐚𝐜, 𝐕𝐫𝐟𝐲) with key-space 𝑲, message-space 𝑿 and tag-space 𝒀 as:
- Gen(1^n): outputs k, with k <-R- K
- Mac(k,m): For each message m ∈ X, output t = Fk(m) ∈ Y
- Vrfyk(m,t): output 1 if t = Fk(m); otherwise output 0
If F is a PRF, then 𝚷 is a secure MAC for fixed message length.
- F is indistinguishable from a random function
- The output of a random function can only be guessed with the probability of 2^(-n)
Explain the theoretical construction of complexity-theoretically secure MACs for arbitrary length messages.
Problem: previous approaches only work for fixed length messages
Solution: Domain Extension
Idea1: Split message into blocks and auth individually - Permutation (BAD)
Idea2: Add a counter. Can be split per prefix and figured out that way
Idea3: Add ℓ: = |𝒎| to each block! Can be split so that t’’ is valid for m’’
Idea4: Add a random value r. The previous attacks no longer work since MAC isn’t deterministic anymore. Therefore, this is secure!
If m isn’t long enough we can add padding. (0s)
Explain generic domain extension.
Let (Gen, Mac, Vrfy) be a MAC for fixed message length, then adding a random value r and padding (MAC’) will be secure for messages of arbitrary length.
Formal proof requires reduction:
- Assume that there exists adversary A’ that breaks MAC’ with non-negligible probability.
- Then, we can construct another adversary A that breaks (Gen, Mac, Vrfy)
Conclusion: There exists MAC Domain Extension from PRFs
What’s the drawback of the theoretical approach?
It’s not efficient, MAC with that construction will be executed O(d) times
Length of the tag is O(dn) bits
Alternative: CBC-MAC
Explain CBC-MAC
Cipher Block Chaining MAC is performed as follows
Pass block 1 through Fk, then XOR output with block 2 and pass again, then XOR, pass, XOR, pass… At the end when the n-1 block is XORed with block n and passed through the Fk, the output is the message tag.
Vrfy(m,t) - calculates the tag again, and checks if the tag is the same, if so, message is authentic (canonical verification)
If F is a block-cipher (PRF), then CBC-MAC is a secure MAC for messages of arbitrary length.
Important: Construction only secure for messages of same length
Solution: To authenticate messages of any length, the message length has to be transmitted as the first block.
What’s the difference between CBC-MAC and CBC Encryption?
CBC - Uses a random initial value IV (important for SEC)
CBC-MAC - No IV, can be deterministic
CBC - all intermediate values are part of the output
CBC-MAC - Only the final block is output
What’s the procedure to develop authenticated encryption? What problem is common?
- Use API for CPA-secure encryption (e.g. CBC with random IV)
- Use API for MAC (e.g. HMAC)
- Combine both without a good understanding of security
Problem: Not every combination results in secure authenticated encryption
What’s Authenticated Encryption?
Authenticated encryption is a tuple (Enc, Dec) with:
- Enc: K x M –> C (as usual)
- Dec: K x C –> M ∪ {⊥} (ciphertext rejected if it is incorrect)
Ideal secure communication:
Confidentiality (Strong confidentiality = CCA security)
+
Integrity (Unforgeability)
A symmetric encryption scheme 𝛱 = (Gen, Enc, Dec) is an authenticated encryption scheme, if 𝜫 is secure and unforgeable
Explain Generic construction of Authenticated Encryption
If there exists a CPA secure encryption
and there exists a secure Strong-MAC
it implies
exists authenticated encryption scheme
Explain ideas of Authenticated Encryption construction.
Idea1 (encrypt and mac)
Enc(m, k1, k2) = Enc(m,k1), Mac(m, k2)
- Very error prone depending on method used
- MACs have no hiding property!
- Many practical MACs are deterministic - no CPA security! (DO NOT USE!)
Idea2 (MAC then encrypt)
𝐄𝐧𝐜 (𝒌𝟏||𝒌𝟐, 𝒎) = 𝐄𝐧𝐜′ (𝒌𝟏, 𝐌𝐚𝐜′′(𝒌𝟐, 𝒎)||𝒎)
- Secure? It depends.
- Generic: No! We can construct a scheme that isn’t CCA secure
- Special constructions: Yes, e.g. Rand-CTR + one-time MAC
Idea3 (Encrypt than MAC)
𝐄𝐧𝐜 (𝒌𝟏||𝒌𝟐, 𝒎) = (𝒄′ ≔ 𝐄𝐧𝐜′ (𝒌𝟏, 𝒎) , 𝐌𝐚𝐜′′(𝒌𝟐, 𝒄′))
- Secure? Yes, always a good idea!
- Prove CCA security and unforgeability by reduction
- k1 and k2 shouldn’t be reused because MAC vrfy reveals information about the plaintext.
Name standards for AE (Authenticated Encryption).
GCM - CTR mode encryption, then special MAC in Galois-field (e.g., IPsec)
CCM: CBC-MAC, then CTR Mode Encryption (802.11i)
EAX: CTR mode encryption, then OMAC
OCB: Requires only one call to the underlying block cipher per block
All supported authenticated encryption with associated public data
———————–|——encrypted—-|
{Associated Data}{Encrypted Data}
|————-Authenticated—————-|
Speed values can be found on second-to-last page of Lect 5 Message Authentication Codes
