Message Integrity

1
Message Integrity

• CS255 Winter 06

2
Message Integrity

• Goal provide message integrity. No
  confidentiality.
• ex Protecting public binaries on disk.
  Protecting ads.
• Requires secret key k unknown to attacker.
• Def MAC I (S,V) defined over (K,M,T) is
  a pair of algorithms - S(k,m) outputs t?T ,
  - V(k,m,t) outputs yes or no

k
k
Message m
tag
Alice
Bob
Generate tag tag ? S(k, m)
3
Secure MACs

• Attackers power chosen message attack.
• for m1,m2,,mq attacker is given ti ?
  S(k,mi)
• Attackers goal existential forgery.
• produce some new valid message/tag pair
  (m,t).
• (m,t) ? (m1,t1) , , (mq,tq)
• Note attacker cannot even produce a valid tag
  for a nonsensical message.

4
Secure MACs

• For a MAC I(S,V) and adv. A we define a MAC
  game
• Def I(S,V) is a secure MAC if for all
  efficient A MAC AdvA,I
  PrChal. outputs 1
• is negligible.

Chal.
Adv.
k?K
b
5
Any secure PRF is a secure MAC

• Let F be a PRF over (K,X,Y). Define a MAC
  IF (S,V)
• S(k,m) F(k,m)
• V(k,m,t) output yes if t F(k,m) and no
  otherwise.
• Theorem If F is a secure PRF and 1/Y is
  negligible then IF is a secure MAC.
• In particular, for any MAC adversary A
  attacking IF there exists a PRF adversary B
  attacking F s.t.
• MAC AdvA, IF ? PRF AdvB, F 1/Y
• ? IF is secure as long as Y is large, say
  Y 280 .

6
Proof Sketch

• Intuition
• Adversary A issues chosen message queries m1,m2,
  
• Gets back F(k,m1) , F(k,m2) ,
• Must guess F(k,m) for m ? m1, m2,
• But F is a PRF, so prob A guesses F(k,m) is
  1/X
• Truncating MACs
• Suppose MAC is a PRF outputting n-bit tags (Y
  2n).
• It is OK to truncate the MAC output to wltn bits.
• as long as 1/2w is still negligible
  (say w?64)

7
Examples

• AES a MAC for 16-byte messages.
• Main question how to convert Small-MAC into
  a Big-MAC ?
• Two main constructions
• CBC-MAC (banking ANSI X9.9, X9.19, FIPS
  186-3)
• HMAC (Internet protocols SSL, IPsec, SSH, )
• Both convert a small-PRF into a big-PRF.

8
Construction 1 (E) CBC-MAC

m0
m1
m3
m4
?
?
?
?
F(k,?)
F(k,?)
F(k,?)
F(k,?)
F(k1,?)
tag
Let F be PRF over (K,X,X) Define new PRF FCBC
over (K2 , XL , X )
9
CBC-MAC Analysis

• CBC-MAC Theorem For any Lgt0, If F is a
  secure PRF over (K,X,X) then FCBC is a secure
  PRF over (K, X?L, X).
• In particular, for a q-query PRF adv. A
  attacking FCBC there exists a PRF adversary B
  s.t.
• PRF AdvA, FCBC ? PRF AdvB, F 2 q2
  Lo(1) / X
• Note CBC-MAC is secure as long as q ltlt
  X1/2

10
Why the last encryption step?

• Suppose we define a MAC IRAW (S,V)
  where
• S(k,m) RawCBC(k,m)
• Fact IRAW is easily broken using a chosen
  msg attack.
• Adversary works as follows
• Pick an arbitrary one-block message m?M
• Request tag for m. Get t F(k,m)
• Output t as MAC forgery for the message (m,
  t?m)
• Indeed RawCBC(k, (m, t?m) ) F(k, t?(t?m) )
  t
• Unimportant note RawCBC is secure for
  prefix-free inputs.

11
CBC-MAC Padding

• What is length of m is not multiple of
  block-size?
• Bad idea pad m with 0s
• Vulnerable to chosen message attack
• ask for tag on m and obtain tag on m0
• ISO pad with 1000?00. Add new block if
  needed.
• The 1 indicates beginning of pad.
• CMAC different padding. Never adds an extra
  block.

12
Construction 2 PMAC

• CBC-MAC is sequential. PMAC Parallel MAC.

m0
m1
m3
m4
?
?
?
?
F(k,?)
F(k,?)
F(k,?)
F(k,?)
?
F(k1,?)
tag
13
PMAC Analysis

• PMAC Theorem For any Lgt0, If F is a secure
  PRF over (K,X,X) then FPMAC is a secure PRF
  over (K, X?L, X).
• In particular, for a q-query PRF adv. A
  attacking FPMAC there exists a PRF adversary B
  s.t.
• PRF AdvA, FPMAC ? PRF AdvB, F 2 q2
  L2 / X
• Note PMAC is secure as long as qL ltlt
  X1/2
• Note PMAC is incremental. Homework.

14
Construction 3 HMAC (Hash-MAC)

• Most widely used MAC on the Internet.
• but, we first we discuss hash function.

15
Collision Resistant Hashing
16
Collision Resistance

• Let H M ?T be a hash function.
• A collision for H is a pair m0 , m1 ? M such
  that
• H(m0) H(m1) and m0 ? m1
• Def A function H is collision resistant if
  for all (uniform) efficient algs. A
• CR AdvA,H Pr A outputs collision for
  H
• is negligible
• Used to have lots of examples MD5, SHA1,
• Currently, only SHA-256, SHA-512,
  Whirpool
• 44.5MB/sec, 11.4, 12.1

216MB/s 68
17
MACs from Collision Resistance

• Let I (S,V) be a MAC for small messages over
  (K,M,T).
• Let H Mbig ? M
• Define Ibig (Sbig , Vbig ) over (K,
  Mbig, T) as
• Sbig(k,m) S(k,H(m)) Vbig(k,m,t)
  V(k,H(m),t)
• Theorem If I is a secure MAC and H is
  collision resistant then Ibig is a secure
  MAC.
• So S(k,m) AES(k, SHA-256(m)) is a secure
  MAC.