Integrity Message Authentication Codes
Integrity Message Authentication Codes
Dan Boneh
Message
Integrity
Goal:
integrity,
no
conden>ality.
Examples:
Protec>ng
public
binaries
on
disk.
Protec>ng
banner
ads
on
web
pages.
Dan Boneh
k
Bob
Def:
MAC
I
=
(S,V)
dened
over
(K,M,T)
is
a
pair
of
algs:
S(k,m)
outputs
t
in
T
V(k,m,t)
outputs
`yes
or
`no
Dan
Boneh
ARacker
can
easily
modify
message
m
and
re-compute
CRC.
CRC
designed
to
detect
random,
not
malicious
errors.
Dan
Boneh
Secure
MACs
ARackers
power:
chosen
message
a?ack
for
m1,m2,,mq
aRacker
is
given
ti
S(k,mi)
ARackers
goal:
existenAal
forgery
produce
some
new
valid
message/tag
pair
(m,t).
(m,t)
{
(m1,t1)
,
,
(mq,tq)
}
aRacker
cannot
produce
a
valid
tag
for
a
new
message
given
(m,t)
aRacker
cannot
even
produce
(m,t)
for
t
t
Dan
Boneh
Secure
MACs
For
a
MAC
I=(S,V)
and
adv.
A
dene
a
MAC
game
as:
Chal.
m1 M t1 S(k,m1)
kK
m2 , , mq t2 , , tq
Adv.
b
b=0
otherwise
(m,t)
Def:
I=(S,V)
is
a
secure
MAC
if
for
all
ecient
A:
AdvMAC[A,I]
=
Pr[Chal.
outputs
1]
is
negligible.
Dan
Boneh
Let I = (S,V) be a MAC. Suppose an aRacker is able to nd m0 m1 such that S(k, m0) = S(k, m1) for of the keys k in K Can this MAC be secure? Yes, the aRacker cannot generate a valid tag for m0 or m1 No, this MAC can be broken using a chosen msg aRack It depends on the details of the MAC
Let I = (S,V) be a MAC. Suppose S(k,m) is always 5 bits long Can this MAC be secure? No, an aRacker can simply guess the tag for messages It depends on the details of the MAC Yes, the aRacker cannot generate a valid tag for any message
F1
t1
=
S(k,F1)
F2
t2
=
S(k,F2)
lename
Fn
tn
=
S(k,Fn)
Later
a
virus
infects
system
and
modies
system
les
User
reboots
into
clean
OS
and
supplies
his
password
Then:
secure
MAC
all
modied
les
will
be
detected
Dan
Boneh
End of Segment
Dan Boneh