SlideShare a Scribd company logo

CNIT 1417. Keyed Hashing

Sam Bowne, profile picture
Sam Bowne

This document provides an overview of keyed hashing and message authentication codes (MACs). It discusses using cryptographic hash functions and block ciphers to build MACs, as well as dedicated MAC designs like Poly1305 and SipHash. It also covers potential issues like timing attacks on MAC verification and side-channel attacks that can leak the internal state of sponge-based MACs.

Education
1 of 48
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
CNIT 141 Cryptography for Computer Networks 7. Keyed Hashing Updated 10-8-2020
Topics • Message Authentication Codes (MACs) • Pseudorandom Functions (PRFs) • Creating Keyed Hashes from Unkeyed Hashes • Creating Keyed Hashes from Block Ciphers: CMAC • Dedicated MAC Designs • How Things Can Go Wrong
Keyed Hashing • Anyone can calculate the SHA hash of a message • No secret value involved • Keyed hashing forms the basis for two algorithms • Message Authentication Code (MAC) • Pseudorandom Function (PRF)
Message Authentication Codes (MACs)
MACs • A MAC protects a message's integrity and authenticity with a tag T • T = MAC(K, M) • Verifying the MAC proves both that the message wasn't altered, and that it came from the sender holding the key
MACs in Secure Communication • MACs are used in • IPSec, SSH, and TLS • 3G & 4G telephony encrypt packets but don't use a MAC • An attacker can modify the packets • Causing static on the line
Forgery • Attacker shouldn't be able to create a tag without knowing the key • Such a M, T pair is called a forgery • A system is unforgeable if forgeries are impossible to find
Known-Message Attack • An attacker passively collects messages and tags • Tries to find the key • This is a very weak attack
Chosen-Message Attacks • An attacker can choose messages that get authenticated • And observe the authentication tags • The standard model to test MAC algorithms
Replay Attacks • MACs are not safe from replay attacks • To detect them, protocols include a message number in each message • A replayed message will have an out-of- order message number
Pseudorandom Functions (PRFs)
PRFs • Use a secret key to return PRF(K, M) • Output looks random • Key Derivation schemes use PRFs • To generate cryptographic keys from a master key or password • Identification schemes use PRFs • To generate a response from a random challenge
Uses of PRFs • 4G telephony uses PRFs • To authenticate a SIM card • To generate the encryption key and MAC used during a phone call • TLS uses a PRF • To generate key material from a master secret and a session-speciifc random value
PRF Security • Has no pattern, looks random • Indistinguishable from random bits • Fundamentally stronger than MACs • MACs are secure if they can't be forged • But may not appear random
Creating Keyed Hashes from Unkeyed Hashes
The Secret-Prefix Construction • Prepend key to the message, and return • Hash(K || M) • May be vulnerable to length-extension attacks • Calculating Hash(K || M1 || M2) from Hash(K || M1) • SHA-1 & SHA-2 are vulnerable to this, but not SHA-3
Insecurity with Different Key Lengths • No way to tell key from message • If K is 123abc and M is def00 • If K is 123a and M is bcdef00 • Result is Hash(123abcdef00) • To fix this, BLAKE2 and SHA-3 include a keyed mode • Another fix is to include the key's length in the hash: Hash(L || K || M)
Secret-Suffix Construction • Tag is Hash(M || K) • Prevents length-extension attack • If you know Hash(M1 || K) • You can calculate Hash(M1 || K || M2) • But not Hash(M1 || M2 || K)
Secret-Suffix Construction • But if there's a hash collision • Hash(M1) = Hash(M2) • The tags can collide too • Hash(M1 || K) = Hash(M2 || K)
HMAC Construction • More secure than secret prefix or secret suffix • Used by IPSec, SSH, and TLS • Specifed in NIST's FIPS 198-6 standard • And RFC 2104
HMAC Construction • Key K is usually shorter than block size • Uses opad (outer padding) and ipad (inner padding) • opad is a series of 0x5c bytes as long as the block size • ipad is a series of 0x36 bytes as long as the block size
Specifying Hash Function • Must specify, as in HMAC-SHA256
A Generic Attack Against Hash-Based MACs • Can forge a HMAC tag from a hash collision • Requires 2n/2 calculations • n is length of digest • Doesn't require a hash length extension attack • Works on all MACs based on an iterated hash function
A Generic Attack Against Hash-Based MACs • Infeasible for n larger than 128 bits
CNIT 1417. Keyed Hashing
Creating Keyed Hashes from Block Ciphers: CMAC
CMAC and Block Ciphers • The compression function in many hash functions is built on a block cipher • Ex: HMAC-SHA-256 • CMAC uses only a block cipher • Less popular than HMAC • Used in IKE (part of IPSec)
CBC-MAC • CMAC was designed in 2005 • As an improved version of CBC-MAC • CBC-MAC: • Encrypt M with IV=0 • Discard all but the last ciphertext block IV = 0
Breaking CBC-MAC • Suppose attacker knows the tags T1 and T2 • For two single-block messages M1 and M2 M1 T1 IV = 0 M2 T2 IV = 0
Breaking CBC-MAC • T2 is also the tag of this message: • M1 || (M2 ^ T1) • For two single-block messages M1 and M2 • Attacker can forge a message and tag M1 M2 ^ T1 T1 T2 IV = 0
Fixing CBC-MAC • Use key K to create K1 and K2 • Encrypt last block with a different key K K K1 IV = 0
CBC-MAC • If the message fills the last block exactly • Uses K and K1
CBC-MAC • If padding is needed • Uses K and K2
Dedicated MAC Designs
Dedicated Design • The preceding systems use hash functions and block ciphers to build PRFs • Convenient but inefficient • Could be made faster by designing specifically for MAC use case
Poly1305 • Designed in 2005 • Optimized to run fast on modern CPUs • Used by Google for HTTPS and OpenSSH
Universal Hash Functions • UHF is much weaker than a cryptographic hash function • But much faster • Not collision-resistant • Uses a secret key K • UH(K, M)
• Only one security requirement • For two messages M1 and M2 • Neglible probability that • UH(K, M1) = UH(K, M2) • For a random K • Doesn't need to be pseudorandom Universal Hash Functions
• Weakness: • K can only be used once • Otherwise an attacker can solve two equations like this and gain information about the key Universal Hash Functions
Wegman-Carter MACs • Builds a MAC from a universal hash function and a PRF • Using two keys K1 and K2 • And a nonce N that is unique for each key, K2
• Secure if Wegman-Carter MACs
Poly1305-AES • Much faster than HMAC-based MACSs or even CMACs • Only computes one block of AES • Poly1305 is a universal hash • Remaining processing runs in parallel with simple arithmetic operations • Secure as long as AES is
SipHash • Poly1305 is optimized for long messages • Requires nonce, which must not be repeated • For small messages, Poly1305 is overkill • SipHash is best for short messages • Less than 128 bytes
• Designed to resist DoS attacks on hash tables • Uses XORs, additions, and word rotations SipHash
How Things Can Go Wrong
Timing Attacks on MAC Verficiation • Side-channel attacks • Target the implementation • Not the algorithm • This code will return faster if the first byte is incorrect • Solution: write constant-time code
When Sponges Leak • If attacker gets the internal state • Through a side-channel attack • Permutation-based algorithms fail • Allowing forgery • Applies to SHA-3 and SipHash • But not compression-function-based MACs • Like HMAC-SHA-256 and BLAKE2
CNIT 1417. Keyed Hashing

More Related Content

PDF
CNIT 141: 6. Hash Functions
Sam Bowne
 
PDF
CNIT 141: 5. Stream Ciphers
Sam Bowne
 
PDF
CNIT 141: 2. Randomness
Sam Bowne
 
PDF
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
PDF
CNIT 141: 4. Block Ciphers
Sam Bowne
 
PDF
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 
PDF
CNIT 141: 6. Hash Functions
Sam Bowne
 
PDF
Practical Malware Analysis Ch12
Sam Bowne
 
CNIT 141: 6. Hash Functions
Sam Bowne
 
CNIT 141: 5. Stream Ciphers
Sam Bowne
 
CNIT 141: 2. Randomness
Sam Bowne
 
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
CNIT 141: 4. Block Ciphers
Sam Bowne
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 
CNIT 141: 6. Hash Functions
Sam Bowne
 
Practical Malware Analysis Ch12
Sam Bowne
 

What's hot (20)

PDF
9. Hard Problems
Sam Bowne
 
PDF
5. Stream Ciphers
Sam Bowne
 
PDF
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
PDF
Sha3
Jyun-Yao Huang
 
PDF
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
PDF
Post Quantum Cryptography: Technical Overview
Ramesh Nagappan
 
PPTX
AES-GCM common pitfalls and how to work around them.pptx
skantos
 
PDF
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
AdaLabs
 
PDF
CNIT 141: 9. Hard Problems
Sam Bowne
 
PDF
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
PDF
4. The Advanced Encryption Standard (AES)
Sam Bowne
 
PDF
how-to-bypass-AM-PPL
nitinscribd
 
PDF
CNIT 141 7. Keyed Hashing
Sam Bowne
 
PPTX
Rsa cryptosystem
Abhishek Gautam
 
PDF
11. Diffie-Hellman
Sam Bowne
 
PDF
Post quantum cryptography
Samy Shehata
 
PDF
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
PDF
CNIT 141: 12. Elliptic Curves
Sam Bowne
 
PDF
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
PDF
Cryptographie
Seifallah Jardak
 
9. Hard Problems
Sam Bowne
 
5. Stream Ciphers
Sam Bowne
 
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
Sha3
Jyun-Yao Huang
 
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
Post Quantum Cryptography: Technical Overview
Ramesh Nagappan
 
AES-GCM common pitfalls and how to work around them.pptx
skantos
 
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
AdaLabs
 
CNIT 141: 9. Hard Problems
Sam Bowne
 
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
4. The Advanced Encryption Standard (AES)
Sam Bowne
 
how-to-bypass-AM-PPL
nitinscribd
 
CNIT 141 7. Keyed Hashing
Sam Bowne
 
Rsa cryptosystem
Abhishek Gautam
 
11. Diffie-Hellman
Sam Bowne
 
Post quantum cryptography
Samy Shehata
 
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
CNIT 141: 12. Elliptic Curves
Sam Bowne
 
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
Cryptographie
Seifallah Jardak
 
Ad

Similar to CNIT 1417. Keyed Hashing (20)

PDF
CNIT 141: 7. Keyed Hashing
Sam Bowne
 
PDF
Cns
ArthyR3
 
PDF
Cs8792 cns - unit iv
ArthyR3
 
PDF
Cs8792 cns - unit iv
ArthyR3
 
PPT
lec-05-Message authentication, hashing, basic number theory.ppt
ssuser6c0026
 
PPT
NSC_Unit-III_final.ppt
DrVASAVIBANDE
 
PPT
6.hash mac
Virendrakumar Dhotre
 
PPTX
Hash Function
Siddharth Srivastava
 
PPTX
Lecture 2 Message Authentication
University of Rome "La Sapienza"
 
PDF
Message Authentication and Hash Function.pdf
sunil sharma
 
PPTX
unit4- predicate logic in artificial intelligence
thirugnanasambandham4
 
PPTX
Academy PRO: Cryptography 3
Binary Studio
 
PPT
cryptography and network security by william stallings
HimaniP19CSE013
 
PPT
HMAC&CMAC.ppt
DrVASAVIBANDE
 
PPT
ch12.ppt
SomuPatil8
 
PPT
Ch11
Joe Christensen
 
PPT
secure hash function for authentication in CNS
NithyasriA2
 
PPT
ch11.ppt
SomuPatil8
 
ODP
CISSP Week 20
jemtallon
 
PPTX
Cryptography and network_security
Janani Satheshkumar
 
CNIT 141: 7. Keyed Hashing
Sam Bowne
 
Cns
ArthyR3
 
Cs8792 cns - unit iv
ArthyR3
 
Cs8792 cns - unit iv
ArthyR3
 
lec-05-Message authentication, hashing, basic number theory.ppt
ssuser6c0026
 
NSC_Unit-III_final.ppt
DrVASAVIBANDE
 
6.hash mac
Virendrakumar Dhotre
 
Hash Function
Siddharth Srivastava
 
Lecture 2 Message Authentication
University of Rome "La Sapienza"
 
Message Authentication and Hash Function.pdf
sunil sharma
 
unit4- predicate logic in artificial intelligence
thirugnanasambandham4
 
Academy PRO: Cryptography 3
Binary Studio
 
cryptography and network security by william stallings
HimaniP19CSE013
 
HMAC&CMAC.ppt
DrVASAVIBANDE
 
ch12.ppt
SomuPatil8
 
Ch11
Joe Christensen
 
secure hash function for authentication in CNS
NithyasriA2
 
ch11.ppt
SomuPatil8
 
CISSP Week 20
jemtallon
 
Cryptography and network_security
Janani Satheshkumar
 
Ad

More from Sam Bowne (20)

PDF
Introduction to the Class & CISSP Certification
Sam Bowne
 
PDF
Cyberwar
Sam Bowne
 
PDF
3: DNS vulnerabilities
Sam Bowne
 
PDF
8. Software Development Security
Sam Bowne
 
PDF
4 Mapping the Application
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
12 Elliptic Curves
Sam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
10 RSA
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PDF
8. Authenticated Encryption
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
6 Scope & 7 Live Data Collection
Sam Bowne
 
PDF
4. Block Ciphers
Sam Bowne
 
PDF
6 Analyzing Android Applications (Part 2)
Sam Bowne
 
Introduction to the Class & CISSP Certification
Sam Bowne
 
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
Sam Bowne
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
Sam Bowne
 
6 Scope & 7 Live Data Collection
Sam Bowne
 
4. Block Ciphers
Sam Bowne
 
6 Analyzing Android Applications (Part 2)
Sam Bowne
 

Recently uploaded (20)

PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Pre independence Education in Inndia.pdf
goofy5603
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Lesson notes of climatology university.
sgladness67
 
master seminar digital applications in india
ananyaray35
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 

CNIT 1417. Keyed Hashing

  • 1. CNIT 141 Cryptography for Computer Networks 7. Keyed Hashing Updated 10-8-2020
  • 2. Topics • Message Authentication Codes (MACs) • Pseudorandom Functions (PRFs) • Creating Keyed Hashes from Unkeyed Hashes • Creating Keyed Hashes from Block Ciphers: CMAC • Dedicated MAC Designs • How Things Can Go Wrong
  • 3. Keyed Hashing • Anyone can calculate the SHA hash of a message • No secret value involved • Keyed hashing forms the basis for two algorithms • Message Authentication Code (MAC) • Pseudorandom Function (PRF)
  • 5. MACs • A MAC protects a message's integrity and authenticity with a tag T • T = MAC(K, M) • Verifying the MAC proves both that the message wasn't altered, and that it came from the sender holding the key
  • 6. MACs in Secure Communication • MACs are used in • IPSec, SSH, and TLS • 3G & 4G telephony encrypt packets but don't use a MAC • An attacker can modify the packets • Causing static on the line
  • 7. Forgery • Attacker shouldn't be able to create a tag without knowing the key • Such a M, T pair is called a forgery • A system is unforgeable if forgeries are impossible to find
  • 8. Known-Message Attack • An attacker passively collects messages and tags • Tries to find the key • This is a very weak attack
  • 9. Chosen-Message Attacks • An attacker can choose messages that get authenticated • And observe the authentication tags • The standard model to test MAC algorithms
  • 10. Replay Attacks • MACs are not safe from replay attacks • To detect them, protocols include a message number in each message • A replayed message will have an out-of- order message number
  • 12. PRFs • Use a secret key to return PRF(K, M) • Output looks random • Key Derivation schemes use PRFs • To generate cryptographic keys from a master key or password • Identification schemes use PRFs • To generate a response from a random challenge
  • 13. Uses of PRFs • 4G telephony uses PRFs • To authenticate a SIM card • To generate the encryption key and MAC used during a phone call • TLS uses a PRF • To generate key material from a master secret and a session-speciifc random value
  • 14. PRF Security • Has no pattern, looks random • Indistinguishable from random bits • Fundamentally stronger than MACs • MACs are secure if they can't be forged • But may not appear random
  • 15. Creating Keyed Hashes from Unkeyed Hashes
  • 16. The Secret-Prefix Construction • Prepend key to the message, and return • Hash(K || M) • May be vulnerable to length-extension attacks • Calculating Hash(K || M1 || M2) from Hash(K || M1) • SHA-1 & SHA-2 are vulnerable to this, but not SHA-3
  • 17. Insecurity with Different Key Lengths • No way to tell key from message • If K is 123abc and M is def00 • If K is 123a and M is bcdef00 • Result is Hash(123abcdef00) • To fix this, BLAKE2 and SHA-3 include a keyed mode • Another fix is to include the key's length in the hash: Hash(L || K || M)
  • 18. Secret-Suffix Construction • Tag is Hash(M || K) • Prevents length-extension attack • If you know Hash(M1 || K) • You can calculate Hash(M1 || K || M2) • But not Hash(M1 || M2 || K)
  • 19. Secret-Suffix Construction • But if there's a hash collision • Hash(M1) = Hash(M2) • The tags can collide too • Hash(M1 || K) = Hash(M2 || K)
  • 20. HMAC Construction • More secure than secret prefix or secret suffix • Used by IPSec, SSH, and TLS • Specifed in NIST's FIPS 198-6 standard • And RFC 2104
  • 21. HMAC Construction • Key K is usually shorter than block size • Uses opad (outer padding) and ipad (inner padding) • opad is a series of 0x5c bytes as long as the block size • ipad is a series of 0x36 bytes as long as the block size
  • 22. Specifying Hash Function • Must specify, as in HMAC-SHA256
  • 23. A Generic Attack Against Hash-Based MACs • Can forge a HMAC tag from a hash collision • Requires 2n/2 calculations • n is length of digest • Doesn't require a hash length extension attack • Works on all MACs based on an iterated hash function
  • 24. A Generic Attack Against Hash-Based MACs • Infeasible for n larger than 128 bits
  • 26. Creating Keyed Hashes from Block Ciphers: CMAC
  • 27. CMAC and Block Ciphers • The compression function in many hash functions is built on a block cipher • Ex: HMAC-SHA-256 • CMAC uses only a block cipher • Less popular than HMAC • Used in IKE (part of IPSec)
  • 28. CBC-MAC • CMAC was designed in 2005 • As an improved version of CBC-MAC • CBC-MAC: • Encrypt M with IV=0 • Discard all but the last ciphertext block IV = 0
  • 29. Breaking CBC-MAC • Suppose attacker knows the tags T1 and T2 • For two single-block messages M1 and M2 M1 T1 IV = 0 M2 T2 IV = 0
  • 30. Breaking CBC-MAC • T2 is also the tag of this message: • M1 || (M2 ^ T1) • For two single-block messages M1 and M2 • Attacker can forge a message and tag M1 M2 ^ T1 T1 T2 IV = 0
  • 31. Fixing CBC-MAC • Use key K to create K1 and K2 • Encrypt last block with a different key K K K1 IV = 0
  • 32. CBC-MAC • If the message fills the last block exactly • Uses K and K1
  • 33. CBC-MAC • If padding is needed • Uses K and K2
  • 35. Dedicated Design • The preceding systems use hash functions and block ciphers to build PRFs • Convenient but inefficient • Could be made faster by designing specifically for MAC use case
  • 36. Poly1305 • Designed in 2005 • Optimized to run fast on modern CPUs • Used by Google for HTTPS and OpenSSH
  • 37. Universal Hash Functions • UHF is much weaker than a cryptographic hash function • But much faster • Not collision-resistant • Uses a secret key K • UH(K, M)
  • 38. • Only one security requirement • For two messages M1 and M2 • Neglible probability that • UH(K, M1) = UH(K, M2) • For a random K • Doesn't need to be pseudorandom Universal Hash Functions
  • 39. • Weakness: • K can only be used once • Otherwise an attacker can solve two equations like this and gain information about the key Universal Hash Functions
  • 40. Wegman-Carter MACs • Builds a MAC from a universal hash function and a PRF • Using two keys K1 and K2 • And a nonce N that is unique for each key, K2
  • 42. Poly1305-AES • Much faster than HMAC-based MACSs or even CMACs • Only computes one block of AES • Poly1305 is a universal hash • Remaining processing runs in parallel with simple arithmetic operations • Secure as long as AES is
  • 43. SipHash • Poly1305 is optimized for long messages • Requires nonce, which must not be repeated • For small messages, Poly1305 is overkill • SipHash is best for short messages • Less than 128 bytes
  • 44. • Designed to resist DoS attacks on hash tables • Uses XORs, additions, and word rotations SipHash
  • 45. How Things Can Go Wrong
  • 46. Timing Attacks on MAC Verficiation • Side-channel attacks • Target the implementation • Not the algorithm • This code will return faster if the first byte is incorrect • Solution: write constant-time code
  • 47. When Sponges Leak • If attacker gets the internal state • Through a side-channel attack • Permutation-based algorithms fail • Allowing forgery • Applies to SHA-3 and SipHash • But not compression-function-based MACs • Like HMAC-SHA-256 and BLAKE2