3.5.signatures - CS 161 Computer Security Spring 2010...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CS 161 Computer Security Spring 2010 Paxson/Wagner Notes 3/5 Message Authentication Codes and Digital Signatures In the last two lectures, we looked at symmetric- and asymmetric-key encryption. Encryption is used to protect the confidentiality of communications over an insecure channel. This lecture, we’ll look at crypto- graphic schemes that provide integrity and authentication . In particular, the threat we’re concerned about is adversaries who send spoofed messages (pretending to be from a legitimate participant) or who mod- ify the contents of a message from a legitimate participant. To address these threats, we will introduce cryptographic schemes that enable the recipient to detect spoofing and tampering. We’ll look at schemes in both the symmetric-key and asymmetric-key models. If Alice and Bob share a secret key K , they can use a Message Authentication Code (also called a MAC, for short) to detect tampering with their messages. If they don’t have a shared key, but Bob knows Alice’s public key, Alice can sign her messages with her private key, using a digital signature scheme (also known as a public-key signature scheme). In tabular form, the big four types of cryptographic primitives are: Symmetric-key Asymmetric-key Confidentiality Symmetric-key encryption (e.g., AES-CBC) Public-key encryption (e.g., El Gamal) Integrity and authentication MACs (e.g., AES-CBC-MAC) Digital signatures (e.g., RSA) 1 Message Authentication Codes (MACs) Suppose Alice and Bob share a secret key K , and Alice wants to send a message to Bob over an insecure channel. The message isn’t secret, but she wants to prevent attackers from modifying the contents of the message. The idea of a Message Authentication Code (MAC) is to send a keyed checksum of the message along with the message, chosen so that any change to the message will render the checksum invalid. The MAC on a message M is a value F ( K , M ) computed from K and M ; the value F ( K , M ) is called the tag for M . Typically, we might use a 128-bit key K and 128-bit tags. Alice will send the pair of values M , T to Bob, where she computed the tag T = F ( K , M ) using the MAC. When Bob receives M , T , Bob will compute F ( K , M ) and check that it matches the provided tag T . If it matches, Bob will accept the message M as valid, authentic, and untampered; if F ( K , M ) 6 = T , Bob will ignore the message M and presume that some tampering or message corruption has occurred. The algorithm F is chosen so that if the attacker replaces M by some other message M , then the tag will almost certainly 1 no longer be valid: in particular, F ( K , M ) 6 = F ( K , M ) . More generally, there will be no 1 Strictly speaking, there is a very small chance that the tag for M will also be a valid tag for M . However, if we choose tags to CS 161, Spring 2010, Notes 3/5 1 way for the adversary to modify the message and then make a corresponding modification to the tag to trick Bob into accepting the modified message: given...
View Full Document

This note was uploaded on 04/14/2010 for the course CS 161 taught by Professor Staff during the Spring '08 term at University of California, Berkeley.

Page1 / 6

3.5.signatures - CS 161 Computer Security Spring 2010...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online