This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: CS 161 Computer Security Spring 2010 Paxson/Wagner Notes 3/5 Message Authentication Codes and Digital Signatures In the last two lectures, we looked at symmetric- and asymmetric-key encryption. Encryption is used to protect the confidentiality of communications over an insecure channel. This lecture, we’ll look at crypto- graphic schemes that provide integrity and authentication . In particular, the threat we’re concerned about is adversaries who send spoofed messages (pretending to be from a legitimate participant) or who mod- ify the contents of a message from a legitimate participant. To address these threats, we will introduce cryptographic schemes that enable the recipient to detect spoofing and tampering. We’ll look at schemes in both the symmetric-key and asymmetric-key models. If Alice and Bob share a secret key K , they can use a Message Authentication Code (also called a MAC, for short) to detect tampering with their messages. If they don’t have a shared key, but Bob knows Alice’s public key, Alice can sign her messages with her private key, using a digital signature scheme (also known as a public-key signature scheme). In tabular form, the big four types of cryptographic primitives are: Symmetric-key Asymmetric-key Confidentiality Symmetric-key encryption (e.g., AES-CBC) Public-key encryption (e.g., El Gamal) Integrity and authentication MACs (e.g., AES-CBC-MAC) Digital signatures (e.g., RSA) 1 Message Authentication Codes (MACs) Suppose Alice and Bob share a secret key K , and Alice wants to send a message to Bob over an insecure channel. The message isn’t secret, but she wants to prevent attackers from modifying the contents of the message. The idea of a Message Authentication Code (MAC) is to send a keyed checksum of the message along with the message, chosen so that any change to the message will render the checksum invalid. The MAC on a message M is a value F ( K , M ) computed from K and M ; the value F ( K , M ) is called the tag for M . Typically, we might use a 128-bit key K and 128-bit tags. Alice will send the pair of values M , T to Bob, where she computed the tag T = F ( K , M ) using the MAC. When Bob receives M , T , Bob will compute F ( K , M ) and check that it matches the provided tag T . If it matches, Bob will accept the message M as valid, authentic, and untampered; if F ( K , M ) 6 = T , Bob will ignore the message M and presume that some tampering or message corruption has occurred. The algorithm F is chosen so that if the attacker replaces M by some other message M , then the tag will almost certainly 1 no longer be valid: in particular, F ( K , M ) 6 = F ( K , M ) . More generally, there will be no 1 Strictly speaking, there is a very small chance that the tag for M will also be a valid tag for M . However, if we choose tags to CS 161, Spring 2010, Notes 3/5 1 way for the adversary to modify the message and then make a corresponding modification to the tag to trick Bob into accepting the modified message: given...
View Full Document
This note was uploaded on 04/14/2010 for the course CS 161 taught by Professor Staff during the Spring '08 term at University of California, Berkeley.
- Spring '08
- Computer Security