introduction to cybersecurity cryptography (part 3) · 2016-12-16 · cryptography (part 3) prof....
TRANSCRIPT
Introduction to CybersecurityCryptography (Part 3)Prof. Dr. Michael Backes
Lecture Summary
Blockciphers
• Review of DES
• Attacks on Blockciphers
• Advanced Encryption Standard (AES)
• Modes of Operation
MACs and Hashes
• Message Authentication Codes
• Hash Functions
• Compression Functions
• Merkle-Damgård Construction
• MACs from Hashes
1Introduction to Cybersecurity 2016/17
Review: Block Ciphers
2Introduction to Cybersecurity 2016/17
E
D
m
K
K
c:= E(K,m)
c m:= D(K,c)
Msg-block
Short, e.g.,128 bits
CT-block
Also 128 bits
CT-block Msg-block
Feistel Networks
3Foundations of Cybersecurity 2016
Ld Rd
+ fd
Ld-1 Rd-1
Round d
Ciphertext
Review: DES
L0 R0
L1 R1
+ f1
L16 R16
+ fd
L15 R15
...
Plaintext
IP
IP-1
Ciphertext
4Introduction to Cybersecurity 2016/17
InitialPermutation
16 Rounds FeistelNetwork
Inverse ofInitial Permutation
Exhaustive Search Attacks
Most simple attack conceivable
Given:
- a few PT/CT pairs 𝑚1, 𝑐1 , 𝑚2, 𝑐2 , … , i.e., 𝑐𝑖 = 𝐸 𝐾,𝑚𝑖 for 𝑖 = 1,2, …and 𝑚𝑖 random elements from 0,1 𝑛
Goal: Total break, i.e., find 𝐾 such that 𝑐𝑖 = 𝐸(𝐾,𝑚𝑖) for all 𝑖.
Note: No stream ciphers would resist this setting: multiple encryptions with the same key!
Introduction to Cybersecurity 2016/17 5
Exhaustive Search Attacks for DES
How many PT/CT pairs until 𝐾 is uniquely determined?
Theorem: For DES, given one random PT/CT pair (𝑚, 𝑐), there is a unique
𝐾 such that 𝐸 𝐾,𝑚 = 𝑐 with very high prob. (≥ 1 −1
256).
“Proof” (only heuristic by idealizing DES into an ideal cipher: collection of 256 random permutations on 0,1 64):
[proof in the lecture notes]
Consequence: Exhaustive search is possible on DES given only one PT/CT pair
Introduction to Cybersecurity 2016/17 6
DES Challenge
Exhaustive Search Challenge set by RSA Security
𝑚 = “The unknown message is: ----------”
CT = 𝑐1 𝑐2 𝑐3 𝑐4 𝑐5
Originally 10.000$ for solving this challenge
1997: Internet search: 3 months
1998: EFF (3 days), spent 250K$
1999: 22 hours
Introduction to Cybersecurity 2016/17 7
Some ways of saving DES: For instance, Triple DES
Avoiding Exhaustive Search: Triple DES (3DES)
General Method: Let (𝐾, 𝐸, 𝐷) be a cipher
Let 𝑇𝐸 𝐾1, 𝐾2, 𝐾3 , 𝑚 ≔ 𝐸(𝐾3, 𝐷 𝐾2, 𝐸 𝐾1, 𝑚 )
Why not 3 times 𝐸? backwards compatibility
Problem: 3 times slower than 𝐸
Key size: 3 ⋅ 56 = 168 bits
Introduction to Cybersecurity 2016/17 8
Why not Double DES (2DES)?
E(K1,×)m cE(K2,×)
DE((K1,K2), m) := E(K2, E(K1, m))
Attack by “meet-in-the-middle”
Introduction to Cybersecurity 2016/17 9
Meet-in-the-middle Attack
D(𝐾21,c)
D(𝐾22, c)
D(𝐾23, c)
…. ….
D(𝐾2256, c)
Given PT/CT pair (m,c), c = E(K2, E(K1, m))1. Set up the following table:
Takes time 256, then sort right column of the table
Introduction to Cybersecurity 2016/17 10
𝐾2256
𝐾23
𝐾22
𝐾21
Why not Double DES (2DES)?
E(K1,×)m cE(K2,×)
DE((K1,K2), m) := E(K2, E(K1, m))
Attack by “meet-in-the-middle”
Introduction to Cybersecurity 2016/17 11
Meet-in-the-middle (cont’d)
2. For each K1 of {0,1}56:
- Test if E(K1,m) is in the right column of the table
- If in column, then E(K1,m) = D(K2j, c)
for some j Key = (K1, K2
j )
Total time for exhaustive search (ignoring log-factors): 256 + 256 = 257
Effective key length less than 57 bits
Introduction to Cybersecurity 2016/17 12
Meet-in-the-Middle on 3-DES
E(K1,×)m cE(K3,×)D(K2,×)
Can we do meet-in-the-middle for 3-DES?
Attack by “meet-in-the-middle”
Time for meet-in-the-middle on 3-DES: 2112
Effective key length of 3-DES ≤ 112 bits
Introduction to Cybersecurity 2016/17 13
Sophisticated Attacks on BC (cont’d)
1. Linear & differential cryptanalysis (more in the core lectures)
2. Implementation attack (side-channel attack)
Introduction to Cybersecurity 2016/17 14
Sophisticated Attacks on BC
1. Linear and differential cryptanalysis
Basic idea of linear cryptanalysis:Suppose for random m, K and c = E(K,m):
E.g., the 5th S-box of DES has bias = 2-21
r bits of m v bits of c u bits of K
Pr 𝑚𝑖1 ⊕𝑚𝑖2 ⊕⋯⊕𝑚𝑖𝑟 ⊕𝑐𝑗1 ⊕⋯⊕ 𝑐𝑗𝑣 ⊕𝐾𝑙1 ⊕⋯⊕𝐾𝑙𝑢 = 1 ≥ ൗ1 2 + 𝜀
Introduction to Cybersecurity 2016/17 15
Sophisticated Attacks on BC
1. Linear and differential cryptanalysis
Basic idea of linear cryptanalysis:
- Suppose for random m, K and c = E(K,m):
(holds for DES with = 2-21)
- Then it holds:
Theorem: Given 1/2 PT/CT pairs. Then
will hold with probability ≥ 97.7%
Pr 𝑚𝑖1 ⊕𝑚𝑖2 ⊕⋯⊕𝑚𝑖𝑟 ⊕ 𝑐𝑗1 ⊕⋯⊕ 𝑐𝑗𝑣 ⊕𝐾𝑙1 ⊕⋯⊕𝐾𝑙𝑢 = 1 ≥ ൗ1 2 + 𝜀
Pr 𝑚𝑖1 ⊕𝑚𝑖2 ⊕⋯⊕𝑚𝑖𝑟 ⊕ 𝑐𝑗1 ⊕⋯⊕ 𝑐𝑗𝑣 = 𝐾𝑙1 ⊕⋯⊕𝐾𝑙𝑢 ≥ ൗ1 2 + 𝜀
𝐾𝑙1 ⊕⋯⊕𝐾𝑙𝑢 = MAJ𝑃𝑇/𝐶𝑇 𝑚𝑖1 ⊕𝑚𝑖2 ⊕⋯⊕𝑚𝑖𝑟 ⊕ 𝑐𝑗1 ⊕⋯⊕ 𝑐𝑗𝑣
Introduction to Cybersecurity 2016/17 16
Linear Cryptanalysis on DES
For DES: = 2-21
Given 1/2 = 242 PT/CT pairs, we get Kl1...Klu
In the same way, we can deduce 14 “bits” of the key using various other relations
Then exhaustive search on the remaining 256/214 = 242 bits
Time needed:
- 242 steps for using linearity to deduce 14 bits
- 242 steps for exhaustive search on remaining key space
243 steps total
Conclusion: Don’t (seriously) design block ciphers yourself!
Introduction to Cybersecurity 2016/17 17
Sophisticated Attacks on BC (cont’d)
2. Implementation attack (side-channel attack)
Power cryptanalysis
Introduction to Cybersecurity 2016/17 18
Power-Consumption of DES
Introduction to Cybersecurity 2016/17 19
Sophisticated Attacks on BC (cont’d)
2. Implementation attack (side-channel attack)
Power cryptanalysis
Electromagnetic emanation
Timing
Sound
Do not even (seriously) implement ciphers!
Introduction to Cybersecurity 2016/17 20
Today: DES gone. AES new
AES: Advanced Encryption Standard
1997: NIST publishes CFP
1998: 165 submissions, 5 susceptible to attacks
1999: NIST chooses 5 finalists
2000: Rijndael selected as the winner
Key sizes: 128, 192, or 256 bits
Block sizes: 128 bits
Introduction to Cybersecurity 2016/17 21
Parameters of Rijndael and AES
AES: September 2000
Rijndael (secure for the next 10-20 years?):
- Flexible key sizes: 128, 192, or 256 bits
- Flexible block sizes: 128, 192 or 256 bits
AES: required Rijndael to use blocks of size 128 bits, keys of 128 bits typical
Introduction to Cybersecurity 2016/17 22
The Rijndael Cipher (for 128-bit Key)
Rijndael Key K:
Rijndael state A:
k0,0 k0,1 k0,2 k0,3
k1,0 k1,1 k1,2 k1,3
k2,0 k2,1 k2,2 k2,3
k3,0 k3,1 k3,2 k3,3
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
4x4 matrix
of bytes
4x4 matrix
of bytes
Introduction to Cybersecurity 2016/17 23
The Rijndael Cipher (cont’d)
1) SubBytes
2) ShiftRows
3) MoveColumns
4) AddRoundkey
A1Plaintext
Round 2A2
...
Round 10 A10
ciphertext
A0
Introduction to Cybersecurity 2016/17 24
Details on AES (cont’d)
AES round:
1. SubBytes: A[i,j] s-box(A[i,j])
Introduction to Cybersecurity 2016/17 25
Details on AES
SubBytes: non-linear substitution step, each byte replaced according to a lookup table
S = 8-bit lookup table (Matrix from GF(28))
Introduction to Cybersecurity 2016/17 26
Details on AES (cont’d)
AES round:
1. SubBytes: A[i,j] s-box(A[i,j])(s-box based on inversion in GF(28))
2. ShiftRows: For i=0,1,2,3: Rotate left row i by i pos.
Introduction to Cybersecurity 2016/17 27
Details on AES (cont’d)
ShiftRows: transposition step, each row shifted cyclically a certain number of steps.
Introduction to Cybersecurity 2016/17 28
Details on AES (cont’d)
AES round:
1. SubBytes: A[i,j] s-box(A[i,j])(s-box based on inversion in GF(28))
2. ShiftRows: For i=0,1,2,3: Rotate left row i by i pos.
3. MixColumns: Multiply each column to fixed matrix (over GF(28))
Introduction to Cybersecurity 2016/17 29
Details on AES (cont’d)
MixColumns: multiplication of columns by 4x4 matrix; mixing operating on columns combining four bytes in each column using a linear transformation.
Introduction to Cybersecurity 2016/17 30
Details on AES (cont’d)
AES round:
1. SubBytes: A[i,j] s-box(A[i,j])(s-box based on inversion in GF(28))
2. ShiftRows: For i=0,1,2,3: Rotate left row i by i pos.
3. MixColumns: Multiply each column to fixed matrix (over GF(28)) Ai(3)
4. AddRoundKey:
• Ai+1 Ai(3) Ki
• Ki = i-th round key derived from 128-bit key K
Introduction to Cybersecurity 2016/17 31
Details on AES (cont’d)
AddRoundKey: XOR state with round key; round key derived from the key by explicit key schedule
Introduction to Cybersecurity 2016/17 32
Performance of DES+AES
Stream
ciphers
Block
ciphers
Introduction to Cybersecurity 2016/17 33
Using BC: Electronic Codebook
1. Electronic Codebook (ECB)Intuitive but naïve way (how not to do it)
34Introduction to Cybersecurity 2016/17
m1 m2
c1 c2
EKEK
...
...
EK
...
...
EK
ml
cl
EK
ECB Reveals Patterns
35Introduction to Cybersecurity 2016/17
ECB Encryption
Other mode of operation
Self-synchronization of ECB
Electronic Codebook (ECB)
- At least self-synchronizing (if block length are tolerated)
36Introduction to Cybersecurity 2016/17
c1 c2
m1 m2
DKDK
...
...
DK
...
...
DK
cl
ml
DK
= Failure of 1 bit
= Failure of complete block
Using BC: Cipherblock Chaining
Cipherblock Chaining (CBC)
- Very often used, but main problem: Sequential
- Initial value randomly chosen and output as well
- Self-synchronizing after two blocks (if block length ok)
37Introduction to Cybersecurity 2016/17
m1
E(K,×)
+IV
c1
m2
E(K,×)
+
c2
c1
D(K,×)
+IV
m1
c2
D(K,×)
+
m2
Using BC: Cipher Feedback
Cipher Feedback (CFB)
- CFB similar to stream ciphers
- Also self-synchronizing after two blocks (if block length ok)
- Note: No need for decryption operation here
38Introduction to Cybersecurity 2016/17
m1 m2
c1 c2
E(K,×) E(K,×)+
IV
+
c1 c2
m1 m2
E(K,×) E(K,×)+
IV
+
Using BC: Output Feedback
Output Feedback (OFB)
- OFB similar to stream ciphers as well
- Strongly self-synchonizing (but loss of bits dramatical)
- Note: No need for decryption operation here
39Introduction to Cybersecurity 2016/17
m1
E(K,×)
+
IV
c1
E(K,×)
m2
+
c2
E(K,×)
c1
E(K,×)
+
IV
m1
E(K,×)
c2
+
m2
E(K,×)
Using BC: Countermode
Countermode (CTR)
- Countermode similar to stream ciphers
- Note: Ok to use the same key for multiple messages if random IV (randCTR), for fixed IV (detCTR: IV=0) only one-time key usage
- Note: No need for decryption operation here
- Later: Better security than CBC
40Introduction to Cybersecurity 2016/17
m1
+
IV
c1
m2
+
c2
IV+1 IV+2
E(K,×) E(K,×) c1
+
IV
m1
c2
+
m2
IV+1 IV+2
E(K,×) E(K,×)
Lecture Summary
Blockciphers
• Review of DES
• Attacks on Blockciphers
• Advanced Encryption Standard (AES)
• Modes of Operation
MACs and Hashes
• Message Authentication Codes
• Hash Functions
• Compression Functions
• Merkle-Damgård Construction
• MACs from Hashes
41Introduction to Cybersecurity 2016/17
Message Integrity
Goal of message integrity:
Alice generates tag 𝑡 for message 𝑚, Bob verifies tag
Goal: Attacker cannot change message, i.e., attacker cannot generate any valid pair (𝑚, 𝑡)
41
AddMAC
Plaintext
Verify
Key KeyPlaintextwith MAC
Plaintext
Alice Bob
Introduction to Cybersecurity 2016/17
Definition of MACs
42
Definition: Message Authentication Codes
A message authentication code with message space ℳ and tag space 𝒯 is a triple of algorithms (𝐾, 𝑆, 𝑉) with the following properties:
The randomized key generation algorithm 𝐾 takes no input and returns a key 𝑘.
The (often randomized) signing algorithm 𝑆 takes a key 𝑘 ∈ [𝐾] and a message 𝑚 ∈ ℳ and returns a tag 𝑡 ∈ 𝒯.
The deterministic verification algorithm 𝑉 takes a key 𝑘 ∈ [𝐾], a message 𝑚 ∈ ℳ and a tag 𝑡 ∈ 𝒯 and returns a bit 𝑏 ∈ 0,1 .
Correctness:
The above algorithms have to satisfy the following property: For any key 𝑘 ∈ [𝐾], any message 𝑚 ∈ ℳ, and any tag𝑡 ∈ [𝑆 𝑘,𝑚 ], we have that 𝑉 𝑘,𝑚, 𝑡 = 1.
Introduction to Cybersecurity 2016/17
From small MACs to big MACs
Question: Given a small MAC, how to build a big MAC?
CBC-MAC:
Banking
ANSI X9.9, X9.19
ISO
FIPS 186-3
HMAC:
Internet: SSL, IPSec, SSHv2
43
512 bit 100 MB
MAC MAC
Introduction to Cybersecurity 2016/17
Let 𝐸:𝒦 × 𝒳 → 𝒴 be an encryption function
Define CBC-MAC 𝐼𝐸 as follows:
𝐼𝐸 is a function from 𝒦2 ×𝒳 𝐿 → 𝒴
44
(Encrypted) CBC-MAC
𝑚1 𝑚2 𝑚3 𝑚4
𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅)
𝐸(𝑘2,⋅)
Introduction to Cybersecurity 2016/17
Why the last encryption?
Raw CBC-MAC is an insecure MAC!
Chosen-message attack:
1. Adv. picks random one-block-lengthmessage 𝑚 ∈ 𝒳𝑛
2. Adv. requests tag (MAC) for message 𝑚and gets 𝑡 ≔ 𝐸 𝑘,𝑚
3. Adv. outputs 𝑡 as MAC forgery on two-block-lengthmessage (𝑚 ǁ 𝑡𝑚)
45
Raw CBC-MAC
Raw CBC-MAC
𝑚1 𝑚2 𝑚3 𝑚4
𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅) 𝐸(𝑘1,⋅)
𝐸(𝑘2,⋅)
Introduction to Cybersecurity 2016/17
On Raw CBC-MAC
Claim: The tag 𝑡 is really an existential forgery against Raw CBC-MAC. We have
CBC−MAC 𝑘,𝑚 = 𝐸 𝑘,𝑚 = 𝑡
and:
CBC−MAC 𝑘, 𝑚 ǁ 𝑡𝑚
= 𝐸 𝑘, 𝐸 𝑘,𝑚 𝑡𝑚
= 𝐸 𝑘, 𝑡 𝑡𝑚
= 𝐸 𝑘,𝑚= 𝑡
Note: Raw CBC-MAC is secure for fixed message size
Prepending message length also works, but not elegant
46Introduction to Cybersecurity 2016/17
Examples of MACs
Popular example: CBC-MAC, used by banks, etc., sequential not discussed here (see lecture notes if you’re curious!)
Now: HMAC, used in lots of Internet protocols, incremental
First: Hash functions and collision resistance
47
HTTP IMAP FTP LDAP
SSL or TLS
Introduction to Cybersecurity 2016/17
Hash Functions
Let 𝐻:ℳ → 𝒯 be a hash function (non-keyed)(often 𝐻: 0,1 ∗ → 0,1 𝑛)
A collision for 𝐻 is a tuple (𝑚1, 𝑚2) with
𝐻 𝑚1 = 𝐻 𝑚2 ∧ 𝑚1 ≠ 𝑚2
Remark: Defining that “no efficient adversary exists that finds a collision” cannot be fulfilled
48Introduction to Cybersecurity 2016/17
Definition: Collision Resistant Hash Function (CRHF)A hash function 𝐻 is collision resistant if no “efficient” algorithm is known that finds a collision for 𝐻 in suitable time.
Examples of CRHFs
Used to have lots of CRHFs examples
Broken:
MD5 (broken): 128-bits digest, 335 MB/s
SHA-1 (broken): 160-bits digest, 192 MB/s
Not only nonsensical collisions for MD5 but selective ones.
Currently still available
SHA-2 family, e.g. SHA-256: 256-bits digest, 139 MB/s
Whirlpool (AES): 512-bits digest, 37.8 MB/s
SHA-3 family, e.g. SHA3-256: 256-bits digest, 177 MB/s
How to build collision-resistant hash functions?
49Introduction to Cybersecurity 2016/17
Birthday Paradox
Let 𝑟1, … , 𝑟𝑛 ∈ {1,… , 𝐵} be independently randomly chosen integers.
Theorem: Pr ∃𝑖 ≠ 𝑗: 𝑟𝑖 = 𝑟𝑗 = 1 −𝑛!⋅ 𝐵
𝑛
𝐵𝑛≈ 1 − 𝑒−𝑛(𝑛−1)/(2⋅𝐵)
In particular, if 𝑛 > 1.2 ⋅ 𝐵 then
Pr ∃𝑖 ≠ 𝑗: 𝑟𝑖 = 𝑟𝑗 ≥1
251Introduction to Cybersecurity 2016/17
Students in classroom (= n) Probability of collision (B = 365)
5 2.7%
10 11.7%
20 41.1%
23 50.7%
30 70.6%
40 89.1%
70 99.9%
Generic attacks on CRHFs
Consequence: If hash output was 64 bits, i.e.,𝐻: 0,1 ∗ → 0,1 64
then the generic attack takes time only 232.
Typical hash output is 160 bit (SHA1) or 256 bit (SHA-256, SHA3-256) generic attack takes time 280 or 2128, respectively.
Best attack on SHA-1: estimated time 261 beats generic attack cost estimate $2.77M to break a single hash value by renting CPU power from cloud servers! (only $43K by 2021)
52Introduction to Cybersecurity 2016/17
Constructing CRHFs
53
Merkle-Damgård (iterated construction)
𝑝𝑎𝑑 is the padding function (injective)
𝑓: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛 is the compression function.
ℎ𝑖 are called chaining variables
𝐼𝑉 is the initial value
Message 𝑚
Padding 𝑝𝑎𝑑
Block 𝑏2 Block 𝑏3 Block 𝑏4Block 𝑏1Block 𝑏0
𝑓 𝑓 𝑓 𝑓 𝑓ℎ1 ℎ2 ℎ3 ℎ4ℎ0𝐼𝑉 Hash ℎ
Introduction to Cybersecurity 2016/17
Padding function 𝑝𝑎𝑑 encodes length of 𝑚 in last block 𝑏𝑙𝑎𝑠𝑡:
such that 𝑏𝑙𝑎𝑠𝑡 is in 0,1 𝑘
Called Merkle-Damgård strengthening
54Introduction to Cybersecurity 2016/17
Padding for Merkle-Damgård
1000....................0 |𝑚|
64 bits
Theorem: Collision-resistance of Merkle-DamgårdIf compression function 𝑓 is collision-resistant, then the (strengthened) Merkle-Damgård construction 𝑀𝐷 is also collision-resistant.
Collision-resistance of Merkle-Damgård
Proof idea: show that breaking 𝑀𝐷 implies breaking 𝑓 (by induction).Assume 𝑀𝐷 𝑚 = 𝑀𝐷 𝑚′ , 𝑝𝑎𝑑 𝑚 = 𝑏0, … , 𝑏𝑙 and 𝑝𝑎𝑑 𝑚′ = 𝑏0′, … , 𝑏𝑙′.
55Introduction to Cybersecurity 2016/17
Theorem: Collision-resistance of Merkle-DamgårdIf compression function 𝑓 is collision-resistant, then the (strengthened) Merkle-Damgård construction 𝑀𝐷 is also collision-resistant.
Corollary: To build a collision-resistant hash function, we only need to build a (small) collision-resistant compression function!
Block 𝑏2/𝑏2′ Block 𝑏3/𝑏3′ Block 𝑏4/𝑏4′Block 𝑏1/𝑏1′Block 𝑏0/𝑏0′
𝑓 𝑓 𝑓 𝑓 𝑓ℎ1 ℎ2 ℎ3 ℎ4ℎ0𝐼𝑉 Hash ℎ
2 Options:
1. (𝒉𝒊, 𝒃𝒊) ≠ (𝒉𝒊′, 𝒃𝒊′)→ found collision for f
2. (𝒉𝒊, 𝒃𝒊) = (𝒉𝒊′, 𝒃𝒊′)→ we can iterate
Hence: either both inputs are the same, or we find a collision for f!
More on this in core lecture!
ℎ0′ ℎ1′ ℎ2′ ℎ3′ ℎ4′
Examples
SHA-2: MD hash function using a Davies-Meyer compression function based on a cipher called SHACAL-2
Whirlpool: MD hash function using a Miyaguchi-Preneel compression function using a cipher called W (derived from AES)
SHA-3: sponge construction (more complex), but could be seen as chop-MD hash function (i.e., MD with a non-trivial number of bits chopped off the final hash value) with custom permutation-based compression function.
56Introduction to Cybersecurity 2016/17
MACs from Hash Functions
Given MD hash function 𝐻:ℳ → 𝒯
Construction attempt:
𝑆 𝑘,𝑚 = 𝐻(𝑘 ∥ 𝑚)
Bad idea…
Construction attempt:
𝑆 𝑘,𝑚 = 𝐻(𝑚 ∥ 𝑘)
“Bad” idea in general but for a different reason…
(At least secure if 𝐻 is CRHF and comp. func. 𝑓 is a PRF)
Construction attempt (envelope method):
𝑆 𝑘1, 𝑘2 , 𝑚 = 𝐻(𝑘1 ∥ 𝑚 ∥ 𝑘2)
Secure if 𝑓 is a PRF (not often used in practice)
56Introduction to Cybersecurity 2016/17
MACs from Hash Functions
Recommended method in practice: HMAC
𝑆 𝑘,𝑚 = 𝐻(𝑘opad ∥ 𝐻 𝑘ipad ∥ 𝑚 )
TLS 1.2: implementations must support HMAC–SHA1 (mandatory), HMAC–SHA256 (or stronger) is recommended.
57Introduction to Cybersecurity 2016/17
Theorem: Strong unforgeability of HMACIf (sequence of) compression function(s) 𝑓(𝑥, 𝑦) is a secure PRF (when either input is used as the key), then HMAC is a strongly unforgeable MAC.
Lecture Summary
Blockciphers
• Review of DES
• Attacks on Blockciphers
• Advanced Encryption Standard (AES)
• Modes of Operation
MACs and Hashes
• Message Authentication Codes
• Hash Functions
• Compression Functions
• Merkle-Damgård Construction
• MACs from Hashes
59Introduction to Cybersecurity 2016/17