Foundations of Network and Foundations of Network and Computer SecurityComputer SecurityJJohn BlackLecture #6Sep 8th2005CSCI 6268/TLEN 5831, Fall 2005Announcements• Quiz #1 later today• Still some have not signed up for class mailing list– Perhaps people still in class but are intending to drop?!• Please do this by end of todayThe Big (Partial) PicturePrimitivesBlock CiphersHash FunctionsHard ProblemsStream CiphersFirst-LevelProtocolsSymmetric EncryptionDigital SignaturesMAC SchemesAsymmetric EncryptionSecond-LevelProtocolsSSH, SSL/TLS, IPSecElectronic Cash, Electronic Voting(Can do proofs)(Can do proofs)(No one knows how to prove security; make assumptions)Symmetric Authentication: The Intuitive Model• Here’s the intuition underlying the authentication model:– Alice and Bob have some shared, random string K– They wish to communicate over some insecure channel–An active adversary is able to eavesdrop and arbitrarily insert packets into the channelAdversaryAliceKey KKey KBobAuthentication: The Goal• Alice and Bob’s Goal:– Alice wishes to send packets to Bob in such a way that Bob can be certain (with overwhelming probability) that Alice was the true originator• Adversary’s Goal:– The adversary will listen to the traffic and then (after some time) attempt to impersonate Alice to Bob– If there is a significant probability that Bob will accept the forgery, the adversary has succeededThe Solution: MACs• The cryptographic solution to this problem is called a Message Authentication Code (MAC)– A MAC is an algorithm which accepts a message M, a key K, and possibly some state (like a nonce N), and outputs a short string called a “tag”MACMKNtag = MACK(M, N)MACs (cont)• Alice computes tag = MACK(M, N) and sends Bob the message (M, N, tag)• Bob receives (M’, N’, tag’) and checks if MACK(M’, N’) == tag’– If YES, he accepts M’ as authentic– If NO, he rejects M’ as an attempted forgery• Note: We said nothing about privacy here! M might not be encrypted(M’, N’, tag’)MACK(M’, N’) == tag’??YNACCEPTREJECTBobSecurity for MACs• The normal model is the ACMA model– Adaptive Chosen-Message Attack• Adversary gets a black-box called an “oracle”– Oracle contains the MAC algorithm and the key K– Adversary submits messages of his choice and the oracle returns the MAC tag– After some “reasonable” number of queries, the adversary must “forge”• To forge, the adversary must produce a new message M*along with a valid MAC tag for M*– If no adversary can efficiently forge, we say the MAC is secure in the ACMA modelBuilding a MAC with a Blockcipher • Let’s use AES to build a MAC– A common method is the CBC MAC:• CBC MAC is stateless (no nonce N is used)• Proven security in the ACMA model provided messages are all of once fixed length• Resistance to forgery quadratic in the aggregate length of adversarial queries plus any insecurity of AES• Widely used: ANSI X9.19, FIPS 113, ISO 9797-1AESKM1AESKAESKtagM2MmCBC MAC notes• Just like CBC mode encryption except:– No IV (or equivalently, IV is 0n)– We output only the last value• Not parallelizable• Insecure if message lengths varyBreaking CBC MAC• If we allow msg lengths to vary, the MAC breaks– To “forge” we need to do some (reasonable) number of queries, then submit a new message and a valid tag• Ask M1= 0nwe get t = AESK(0n) back• We’re done! – We announce that M*= 0n|| t has tag t as well– (Note that A || B denotes the concatenation of strings A and B)Varying Message Lengths: XCBC• There are several well-known ways to overcome this limitation of CBC MAC• XCBC, is the most efficient one known, and is provably-secure (when the underlying block cipher is computationally indistinguishable from random)– Uses blockcipher key K1 and needs two additional n-bit keys K2 and K3 which are XORed in just before the last encipherment• A proposed NIST standard (as “CMAC”)AESK1M1AESK1AESK1tagM2MmK2 if n divides |M|K3 otherwiseUMAC: MACing Faster• In many contexts, cryptography needs to be as fast as possible– High-end routers process > 1Gbps– High-end web servers process > 1000 requests/sec• But AES (a very fast block cipher) is already more than 15 cycles-per-byte on a PPro– Block ciphers are relatively expensive; it’s possible to build faster MACs• UMAC is roughly ten times as fast as current practiceUMAC follows the Wegman-Carter Paradigm• Since AES is (relatively) slow, let’s avoid using it unless we have to– Wegman-Carter MACs provide a way to process M first with a non-cryptographic hash function to reduce its size, and then encrypt the resultMessage Mhash functionhash keyencryptencryption keyhash(M)tagThe Ubiquitous HMAC• The most widely-used MAC (IPSec, SSL, many VPNs)• Doesn’t use a blockcipher or any universal hash family– Instead uses something called a “collision resistant hash function” H• Sometimes called “cryptographic hash functions”• Keyless object – more in a moment•HMACK(M) = H(K ⊕ opad || H(K ⊕ ipad || M))• opad is 0x36 repeated as needed• ipad is 0x5C repeated as neededNotes on HMAC•Fast– Faster than CBC MAC or XCBC• Because these crypto hash functions are fast•Slow– Slower than UMAC and other universal-hash-family MACs• Proven security– But these crypto hash functions have recently been attacked and may show further weaknesses soonWhat are cryptographic hash functions?OutputMessagee.g., MD5,SHA-1Hash Function• A cryptographic hash function takes a message from{0,1}*and produces a fixed size output• Output is called “hash” or “digest” or “fingerprint”• There is no key• The most well-known are MD5 and SHA-1 but thereare other options• MD5 outputs 128 bits• SHA-1 outputs 160 bits% md5Hello There^DA82fadb196cba39eb884736dcca303a6%T ← A << 5 + gt(B, C, D) + E + Kt+ WtSHA-1...M1M2Mmfor i = 1 to m doWt= {t-th word of Mi0 ≤ t ≤ 15( Wt-3⊕ Wt-8⊕ Wt-14⊕ Wt-16 ) << 1 16 ≤ t ≤ 79A ← H0i-1; B ← H1i-1; C ← H2i-1; D ← H3i-1; E ← H4i-1for t = 1 to 80 doE ← D; D ← C; C ← B >> 2; B ← A; A ← TH0i← A + H0i-1; H1i← B + H1i-1; H2i← C+ H2i-1; H3i← D + H3i-1; H4i← E + H4i-1endendreturn H0mH1mH2mH3mH4m512 bits160 bitsReal-world applications• Message authentication codes (HMAC) • Digital signatures (hash-and-sign)• File