{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

s-mac

# s-mac - MESSAGE AUTHENTICATION 1 103 Integrity and...

This preview shows pages 1–14. Sign up to view the full content.

MESSAGE AUTHENTICATION 1/103

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified in transit 2/103
Integrity and authenticity example Alice Bob (Bank) Alice Pay \$100 to Charlie a45 Adversary Eve might Modify “Charlie” to “Eve” Modify “\$100” to “\$1000” Integrity prevents such attacks. 3/103

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Medical databases Doctor Reads F A Modifies F A to F A Get Alice a45 F A a27 Put: Alice, F A a45 Database Alice F A Bob F B Alice F A Bob F B 4/103
Medical databases Doctor Reads F A Modifies F A to F A Get Alice a45 F A a27 Put: Alice, F A a45 Database Alice F A Bob F B Alice F A Bob F B Need to ensure doctor is authorized to get Alice’s file F A , F A are not modified in transit F A is really sent by database F A is really sent by (authorized) doctor 4/103

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Symmetric Setting We will study how to authenticate messages in the symmetric setting where Sender and Receiver share a random key K not given to the adversary. 5/103
Does privacy provide authenticity? Let SE = ( K , E , D ) be a (IND-CPA secure) symmetric encryption scheme. Say M =“Pay \$100 to Bob” Adversary wants Receiver to get M =“Pay \$1,000 to Bob” Adversary needs to modify C to C such that D K ( C ) = M . Intuition: It is hard to modify C to ensure above, since modifying C will result in D K ( C ) being garbled/random and Receiver will reject. 6/103

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Counterexample: OTP Say E K ( M ) = K M and D K ( C ) = K C . Should assume adversary knows M . Then it can let Δ = M M and C C Δ A K E M C C D K M Δ = M because D K ( C Δ) = K C Δ = M Δ 7/103
Adding redundacy Let SE = ( K , E , D ) be a (IND-CPA secure) symmetric encryption scheme. To send M , sender computes C \$ ←E K (0 128 || M ) and sends C to receiver. Receiver gets C and lets R || M ←D K ( C ). If R = 0 128 it outputs M else . Intuition: If C is modified to C then most probably the first 128 bits of D K ( C ) will not all be 0 and Receiver will reject. However, OTP again provides a counterexample to show that this does not provide integrity. 8/103

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
What went wrong? Possible reaction: OTP is bad! Use CBC instead. But CBC has similar problems. 9/103
What went wrong? Possible reaction: OTP is bad! Use CBC instead. But CBC has similar problems. The real problem: There is no good reason to think that privacy provides authenticity. Encryption is the wrong tool here. To call an encryption scheme bad because it does not provide authenticity is like calling a car bad because it does not fly. To fly you need an airplane. 9/103

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Message authentication schemes A message authentication (MA) scheme MA = ( K , T , V ) consists of three algorithms: We refer to T as the MAC or tag. We let T K ( · ) = T ( K , · ) V K ( · ) = V ( K , · , · ) 10/103
Consistency Let MA = ( K , T , V ) be any MA scheme. We require that for all messages M , V K ( M , T K ( M )) = 1 with probability one, where the probability is over the choice of K and the coins of T .

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

### Page1 / 112

s-mac - MESSAGE AUTHENTICATION 1 103 Integrity and...

This preview shows document pages 1 - 14. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online