0% found this document useful (0 votes)
129 views

Integrity Message Authentication Codes

This document discusses message authentication codes (MACs) for providing message integrity and authentication. It defines MACs as a pair of algorithms for generating and verifying message tags using a secret key. A secure MAC prevents attackers from generating valid tags for new messages even if they can obtain tags for other messages of their choosing. The document provides examples of using MACs to protect system files and ensures any modifications can be detected.

Uploaded by

Sugam Kataria
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
129 views

Integrity Message Authentication Codes

This document discusses message authentication codes (MACs) for providing message integrity and authentication. It defines MACs as a pair of algorithms for generating and verifying message tags using a secret key. A secure MAC prevents attackers from generating valid tags for new messages even if they can obtain tags for other messages of their choosing. The document provides examples of using MACs to protect system files and ensures any modifications can be detected.

Uploaded by

Sugam Kataria
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Online

Cryptography Course Dan Boneh

Message integrity Message Auth. Codes

Dan Boneh

Message Integrity
Goal: integrity, no conden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages.

Dan Boneh

Message integrity: MACs


k
Alice message m tag

k
Bob

Generate tag: tag S(k, m)

Verify tag: ? V(k, m, tag) = `yes

Def: MAC I = (S,V) dened over (K,M,T) is a pair of algs: S(k,m) outputs t in T V(k,m,t) outputs `yes or `no
Dan Boneh

Integrity requires a secret key


message m Alice tag Bob

Generate tag: tag CRC(m)

Verify tag: ? V(m, tag) = `yes

ARacker can easily modify message m and re-compute CRC. CRC designed to detect random, not malicious errors.
Dan Boneh

Secure MACs
ARackers power: chosen message a?ack for m1,m2,,mq aRacker is given ti S(k,mi) ARackers goal: existenAal forgery produce some new valid message/tag pair (m,t). (m,t) { (m1,t1) , , (mq,tq) }


aRacker cannot produce a valid tag for a new message given (m,t) aRacker cannot even produce (m,t) for t t
Dan Boneh

Secure MACs
For a MAC I=(S,V) and adv. A dene a MAC game as:
Chal.

m1 M t1 S(k,m1)

kK

m2 , , mq t2 , , tq

Adv.

b
b=0 otherwise

(m,t)

b=1 if V(k,m,t) = `yes and (m,t) { (m1,t1) , , (mq,tq) }

Def: I=(S,V) is a secure MAC if for all ecient A: AdvMAC[A,I] = Pr[Chal. outputs 1] is negligible.
Dan Boneh

Let I = (S,V) be a MAC. Suppose an aRacker is able to nd m0 m1 such that S(k, m0) = S(k, m1) for of the keys k in K Can this MAC be secure? Yes, the aRacker cannot generate a valid tag for m0 or m1 No, this MAC can be broken using a chosen msg aRack It depends on the details of the MAC

Let I = (S,V) be a MAC. Suppose S(k,m) is always 5 bits long Can this MAC be secure? No, an aRacker can simply guess the tag for messages It depends on the details of the MAC Yes, the aRacker cannot generate a valid tag for any message

Example: protec>ng system les


Suppose at install >me the system computes:
lename lename

F1
t1 = S(k,F1)

F2
t2 = S(k,F2)

lename

Fn
tn = S(k,Fn)

k derived from users password

Later a virus infects system and modies system les User reboots into clean OS and supplies his password Then: secure MAC all modied les will be detected
Dan Boneh

End of Segment

Dan Boneh

You might also like