Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Introduction MACs Timing attacks
MACs
Message authentication and integrity
Foundations of CryptographyComputer Science Department
Wellesley College
Fall 2016
Introduction MACs Timing attacks
Table of contents
Introduction
MACs
Timing attacks
Introduction MACs Timing attacks
Secure communication and message integrity
Image a supermarket chain sendsan email request to purchase10,000 creates of coke⇤. Thesupplier has to consider:
1. Is the order authentic, i.e.,did the chain really issue anorder, or was it spoofed.
2. Even if it assuredly camefrom the chain, the suppliermust still ask whether thedetails are exactly asintended.
*The order itself is not secret and therefore the question of privacy does not
arise.
Introduction MACs Timing attacks
Encryption vs. Message Authentication
• Why not use encryption to insuremessage integrity? After all if theadversary cannot figure out whatyou are saying, what harm can shedo?
• Consider randomized counter modewhich we proved hasindistinguishable encryption undera chosen-plaintext attack.
• If the message structure is known(or can be guessed), then theattacker can manipulate ciphertextto cause predictable changes in theplaintext.*
*How?
Introduction MACs Timing attacks
Using privacy to achieve authentication
• Suppose Bullwinkle transmits anASCII message M100 whichindicates that Rocky should pleasetransfer $100 from checkingaccount of Bullwinkle to checkingaccount of Boris.
• The adversary Boris wants tochange the amount from the $100to $900. Now if M100 had beensent in the clear, Boris could easilymodify it.
• But if M100 is encrypted so thatciphertext C100 is sent, how is Boristo modify C100 so as to makeRocky recover the di↵erentmessage M900?
Introduction MACs Timing attacks
Not so fast*
*The format of the message is known to all parties.
Introduction MACs Timing attacks
And another thing ...
• In fact, sometimes confidentiality only gets in the way.
• We don’t encrypt our checks when we sign them.
• With message encryption, the protection is lost when themessage is decrypted. In addition, there is an overheadassociated with encryption and decryption
Introduction MACs Timing attacks
The problem in a nutshell
Authentication 15-3
Data authenticity or integrity
Sender S wants to send a message M to receiver R in such a way that R will be sure it came from S
But, adversary A controls the communications
channel.
Introduction MACs Timing attacks
The solution: Message Authentication Codes (MACs)
Authentication 15-4
Message authentication code
One solution is to attach a fixed-length “tag” to the original message.
The tag, or MAC, serves to validate the authenticity of the message.
*Confidentiality isn’t always needed. In fact, sometimes confidentially only getsin the way.
Introduction MACs Timing attacks
Message Authentication Codes
Definition 4.1. A message authentication code (MAC) is a tuple ofprobabilistic polynomial-time algorithms (Gen, Mac, Vrfy) suchthat:
1. The key-generation algorithm Gen takes as input the securityparameter 1n and outputs a key k with |k | � n.
2. The tag-generation algorithm MAC takes as input a key k anda message m 2 {0, 1}⇤, and output a tag t. Since thisalgorithm may be randomized, we write t Mack(m).
3. The verification algorithm Vrfy takes as input a key k , amessage m, and a tag t. It outputs a bit b with b = 1meaning valid and b = 0 meaning invalid. We assume WLOGthat Vrfy is deterministic and so write this as b := Vrfyk(m, t).
It is required that for every n, k ,m Vrfyk(m,Mack(m)) = 1.
Introduction MACs Timing attacks
Canonical verification
• For deterministic message authentication codes, the canonicalway to perform verification is to simply re-compute the tagand check for equality.
Introduction MACs Timing attacks
Security of message authentication codes
• Our goal is to detect anyattempt by the adversary tomodify the transmission.
• To accomplish this we seekMACs such that nopolynomial-time adversarycan generate a valid tag onany ”new” message that wasnot previously sent.
• Of course, the adversarymay have observed (or eveninfluenced the content) ofmany messages and theircorresponding tags beforetaking action.
Introduction MACs Timing attacks
Secure MACs
The message authentication experiment Mac-forgeA,⇧(n):
1. A random key k is generated by running Gen(1n).
2. The adversary A is given input 1n and oracle access toMack(·). The adversary eventually outputs a pair (m, t). LetQ denote the set of all queries that A asked to its oracle.
3. The output of the experiment is defined to be 1 if and only if(1) Vrfy(m, t) = 1; and (2) m 62 Q.
Definition 4.2. A message authentication code⇧ = (Gen,Mac,Vrfy) is existentially unforgeable under an adaptive
chosen-message attack if for all probabilistic polynomial-timeadversaries A there exists a negligible function negl such that
Pr[Mac-forgeA,⇧(n) = 1] negl(n).
Introduction MACs Timing attacks
Bullwinkle buys a bike from Bois
Authentication 15-23
Bullwinkle buys a bike from Bois
Transfer $100 from my account to Bois
Adversary
Sender
Receiver
Transfer $100 from my account to Bois -- &*#@
Transfer $100 from my account to Bois -- &*#@
Introduction MACs Timing attacks
Sometime later ...
Authentication 15-24
Sometime later ...
Adversary
Receiver Transfer $100 from my account to Bois -- &*#@
out to lunch
Introduction MACs Timing attacks
Replay attacks and MACs
• MACs provide no protectionagainst replay attacks.
• The problem is that MACsdo not incorporate anynotion of state in theirverification algorithms.Thus, every time a valid pair(m, t) is presented to Vrfykit returns the same answer.
• Protection against replayattacks is left to somehigher-level application.
Introduction MACs Timing attacks
Dealing with replay attacks
Two common techniques fordealing with replay attacks*:
Sequence numbers: The senderassigns a unique sequencenumber i to each message whichthe receiver keeps track of. TheMAC tag is computed over theconcatenated message i |m.
Time stamps: Sender appendsthe current time to the message.When the receiver obtains amessage, it checks whether theincluded time-stamp is withinsome acceptable window of thecurrent time.
*Both schemes have certain drawbacks.
Introduction MACs Timing attacks
New tags on old messages
• Secure MACs ensure that an adversary cannot generate avalid tag on a new message that was never previouslyauthenticated.
• It does not rule out the possibility that an attacker might beable to generate a new tag on a previously authenticatedmessage.
• We may want to ensure that this cannot happen. To do so weconsider a modified experiment Mac-sforge that is definedexactly as Mac-forge except that now the set Q containspairs, (m, t) of oracle queries and their responses.
• An adversary succeeds if and only if A outputs (m, t) suchthat Vrfyk(m, t) = 1 and (m, t) /2 Q.
Introduction MACs Timing attacks
Strong MACs
The message authentication experiment Mac-sforgeA,⇧(n):
1. A random key k is generated by running Gen(1n).
2. The adversary A is given input 1n and oracle access toMack(·). The adversary eventually outputs a pair (m, t). LetQ denote the set of all pairs,(m, t) that A queried Mack(m)and received tag t in response.
3. The output of the experiment is defined to be 1 if and only if(1) Vrfy(m, t) = 1; and (2) (m, t) 62 Q.
Definition 4.3. A message authentication code⇧ = (Gen,Mac,Vrfy) is strongly secure if for all probabilisticpolynomial-time adversaries A there exists a negligible functionnegl such that
Pr[Mac-sforgeA,⇧(n) = 1] negl(n).
Introduction MACs Timing attacks
Verification
Proposition 4.4. Let ⇧ = (Gen,Mac,Vrfy) be a secure MAC thatuses canonical verification, then ⇧ is a strong MAC.*
One can also consider an adversary who interacts with an honestreceiver, sending m
0, t 0 to the receiver to learn whetherVrfyk(m
0, t 0) = 1.
It is not hard to incorporate this into our definition of MACsecurity. However, for MACs that use canonical verification itmakes no di↵erence, any such MAC that satisfies Definition 4.2also remains secure when verification queries are possible.**
*Proof is left as an exercise.
**You guessed it, another exercise.
Introduction MACs Timing attacks
Things that go bark in the night
• Consider an adversary whocan send message/tag pairsto the receiver and learn notonly whether the receiveraccepts or rejects, but alsothe time it takes to makethe decision.
• We show that a naturalimplementation of MACverification leads to an easilyexploitable vulnerability.
*This attack, which an example of a side-channel attack, shows that certain
real-world attacks are not captured by the usual definitions.
Introduction MACs Timing attacks
A potential timing attack
Assume a MAC using canonical verification that uses a standardroutine (like strcmp in C) for byte comparisons.
• Suppose the attacker already knows the first i � 0 bytes ofthe tag for message m.
• The attacker sends (m, t0), . . . , (m, t255) to the receiver,where tj is the string with the first i bytes set correct, the(i +1)th-byte equal to j , and the remaining bytes set to 0x00.
• All of these are likely to be rejected.* Else, for exactly one ofthese tags, say tj the first (i + 1) bytes will match the correcttag and rejection will take slightly longer. The attacker learnsthe (i + 1)th byte of the correct tag is j .
*If not the attacker wins right away.
Introduction MACs Timing attacks
Right, but how realistic is this?
• This attack was carried outagains the MACs used toverify code updates in theXbox360.
• The implementation of MACverification had a di↵erenceof 2.2 milliseconds betweenrejection times.
• Attackers were able toexploit this and load piratedgames onto the hardware.