Academy PRO: Cryptography 3
Download as PPTX, PDF1 like228 views
The document discusses various cryptographic concepts such as MACs, hashes, key derivation functions, and authenticated encryption. It describes techniques for constructing secure MACs like ECBC-MAC and PMAC, and explains attacks like length-extension attacks and collision attacks. The document also covers standards for authenticated encryption like GCM, CCM, and EAX that combine encryption and message authentication codes.
![Security
Secure if Pr[b=1] is negligible](https://image.slidesharecdn.com/cryptography3-171106122333/85/Academy-PRO-Cryptography-3-3-320.jpg)
![PMAC, Parallelizable MAC
Incremental if F is PRP:
m[1] → m`[1]
tag` = F(k,x), where
x = F-1(k, tag)⊕F(k, m[1], P(k,1))⊕F(k, m`[1],
P(k,1))](https://image.slidesharecdn.com/cryptography3-171106122333/85/Academy-PRO-Cryptography-3-5-320.jpg)
![Ciphertext integrity
m1, m2, mn
c1←E(k, m1), c2, cn
b
Challenger Adversary
b = 1 if D(k, c) valid and c` not in {c1, c2, cn}
b = 0 otherwise
Has integrity if Pr[b=1] ≈ 0
k
c`](https://image.slidesharecdn.com/cryptography3-171106122333/85/Academy-PRO-Cryptography-3-14-320.jpg)
Academy PRO: Cryptography 3
- 1. MAC, Hashes
- 2. MAC, Message Authentication Code
- 3. Security Secure if Pr[b=1] is negligible
- 4. ECBC-MAC Secure as long as q << |X|½, where |X| - length of message, q - number of messages. Raw CBC-MAC is insecure Commonly used as AES- based MAC (CCM mode in Wi-Fi) CMAC is similar
- 5. PMAC, Parallelizable MAC Incremental if F is PRP: m[1] → m`[1] tag` = F(k,x), where x = F-1(k, tag)⊕F(k, m[1], P(k,1))⊕F(k, m`[1], P(k,1))
- 6. Length-extension attack Knowing hash(m) and len(m) it is possible to calculate hash(m||m`) Vulnerable: Merkle–Damgård (MD5, SHA-1, SHA-2) Not vulnerable: HMAC, SHA-3 Original Data: count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo Original Signature: 6d5f807e23db210bc254a28be2d6759a0f5f5d99 Desired New Data: count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo&waffle=liege New Data: count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggox80x00x00 x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 x00x00x02x28&waffle=liege Setup function’s internal state. New Signature: 0e41270260895979317fff3898ab85668953aaa2
- 7. Cryptographic hashes Pre-image resistance. Infeasible to recover message from hash Second pre-image resistance. Given m1 it is difficult to find m2 such that hash(m1) = hash(m2) Collision resistance. Infeasible to find pair m1, m2 such that hash(m1) = hash(m2) Avalanche effect. One bit change in messages results in uncorrelated hashes.
- 8. Merkle-Damgard hash f is compression function often built from block cipher E Fortified by Wide pipe construction (internal state bigger than output)
- 9. Collisions, Birthday paradox For p < 0.5 N ≈ √(2m * p(N)), where p - probability of collision, m - size of set, N - size of set where collision exists For birthdays: √(2 * 365 * 0.5) ≈ 19 For 128-bit hash: √(2 * 2128 * 0.5) ≈ 264 *IRL people’s birthdays are not uniformly distributed, unlike ideal hashes
- 10. KDF, Key derivation function Prevents stealing of password Makes strong key from weak short password Slower than regular hash Random salt prevents attack by dictionary PBKDF2, bcrypt, scrypt, Argon2 KDF(password + pepper, salt, iterations, keylen, digest), pepper is optional hardcoded const, digest is a hash function
- 11. HMAC Ipad, opad - magic numbers Secure as long as q << |T|1/2
- 12. Timing attack Loop over all possible values of first byte and query server. Stop when response time increased. Repeat for all bytes. Make hash string comparator always take the same time.
- 13. Authenticated encryption Integrity. MACs. Unforgeability under CPA. Confidentiality. Semantic security under CPA. Encryption secure eavesdropping only. Integrity + Confidentiality = Authenticated encryption. Secure against tampering.
- 14. Ciphertext integrity m1, m2, mn c1←E(k, m1), c2, cn b Challenger Adversary b = 1 if D(k, c) valid and c` not in {c1, c2, cn} b = 0 otherwise Has integrity if Pr[b=1] ≈ 0 k c`
- 15. Implications Authenticity. MiM (man in the middle) can’t can not create valid CT. (still can replay) Security against CCA (chosen ciphertext attack)
- 16. MAC+Encryption Encryption key kE, MAC key kI
- 17. Standards GCM. CTR encryption then CW-MAC (Intel accelerated) CCM. CBC-MAC then CTR encryption (WiFI 802.11i) EAX. CTR encryption then CMAC.
- 18. OCB, Offset Code Book Parallelizable Patented in U.S. but free for GNU 64Gb per key