forked from edfelten/cos432-lecture-notes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Lecture01.tex
223 lines (183 loc) · 8.12 KB
/
Lecture01.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
%!TEX root = InfoSec.tex
% Lecture 1: 10 September 2014
\sektion{0}{Course Information}
Professor: Ed Felten
Website: \url{http://bit.ly/1wcHQIT} and Piazza
Lectures: 11am Monday, Wednesday in McCosh 50
\sektion{1}{Message Integrity}
\subsektion{Sending messages}
\ovalbox{Alice} $\xrightarrow{m}$
\ovalbox{Mallory} $\xrightarrow{?}$
\ovalbox{Bob}
{\bf Threat Models:}, what adversary can do and accomplish vs. what we want to do and accomplish. We generally assume
that Mallory is malicious in the most devious possible way, as opposed
to random error. In this case of Alice sending Bob a message:
\begin{itemize}
\item Mallory can see and forge messages
\item Mallory wants to get Bob to accept a message that Alice didn't send
\item Alice and Bob want Alice to be able to send a message and have Bob receive it in an untampered form.
\end{itemize}
\sidenote{
{\bf CIA Properties}
\begin{itemize}
\item Confidentiality: trying to keep information secret from someone
\item Integrity: making sure information hasn't been tampered with
\item Availability: making sure system is there and running when needed (hardest to achieve!)
\end{itemize}
}
In this problem, the goal is only integrity. \\
\sidenote{
{\bf Role of stories in security:}
\begin{itemize}
\item Pro: easy to follow
\item Cons:
\begin{itemize}
\item In reality,``Alice/Bob'' is a computer; for example, a server with no common sense
\item In reality, ``Alice/Bob'' is a person + computer (one may have some
knowledge that other doesn't, e.g. knowledge divergence in
phishing attack)
\item We might be biased into rooting for one side or the other and lose impartiality
\end{itemize}
\end{itemize}
}
What to send:\\
\ovalbox{Alice} $\xrightarrow{(m, f(m))}$
\ovalbox{Mallory} $\xrightarrow{(a,b)}$
\ovalbox{Bob} : accept $a$ iff $f(a) = b$
where $f$ is a {\bf Message Authentication Code (MAC)}\\
Properties $f$ needs to be a secure MAC:
\begin{enumerate}
\item deterministic (Bob needs to get the same answer that Alice got every time)
\item easily computable by Alice and Bob
\item not computable by Mallory (else Mallory can send $(x, f(x))$ for any
$x$ s/he wants)
\end{enumerate}
Choosing $f$:
\begin{itemize}
\item Picking a secret function is risky because it is difficult
to quantify how likely Mallory will be able to guess the function.
\item Use a random function...
\begin{table}[!h]\centering\begin{tabular}{r|ll}
input & output &\\
\cline{1-2}
$\emptyset$ & 01011... & $\leftarrow$ 256 coin flips\\
0 & 101... &\\
1 & ... &\\
\end{tabular}\end{table}
\sidenote{
{\bf ``secure MAC game'': Us vs. Mallory}
\hspace*{0.5 cm} repeat until Mallory says ``stop'': \{\\
\hspace*{1 cm} Mallory chooses $x_i$\\
\hspace*{1 cm} we announce $f(x_i)$\\
\hspace*{0.5 cm} \}\\
\hspace*{0.5 cm} Mallory chooses $y \not\in \{x_i\}$\\
\hspace*{0.5 cm} Mallory guesses $f(y)$: wins if right
\\
$f$ is a secure MAC if and only if every efficient (polytime) strategy for Mallory
wins with negligible (probability that goes to 0) probability. In other words,
$f$ is a secure MAC if Mallory can't do better than random guessing.
\bigskip
\begin{theorem*}{A random function is a secure MAC.}\end{theorem*}
\emph{Intuition:} Mallory asks to reveal certain entries, but for $y$
Mallory is trying to guess the result of the coin flips
}
\item ...Or more practically, a pseudorandom function:
{\bf pseudorandom function (PRF)}: ``looks random'', ``as good as
random'', practical to implement
typical approach:
\begin{itemize}
\item \underline{public} family of function $f_0, f_1, f_2, \dots$
\item \underline{secret} key $k$ which is, for example, a 256 bit random value
\item \underline{use} $f(k, x)$
\end{itemize}
\sidenote{
{\bf Kerckhoffs's principle:}
Use a public function family and a randomly chosen secret key.
\bigskip
Advantages:
\begin{enumerate}
\item can quantify probability that key will be guessed
\item different people can use the same functions with different keys
\item can change key if needed (if it's given out or lost)
\end{enumerate}
}
\\
\sidenote{
{\bf ``PRF game'' against Mallory}:
\hspace*{0.5 cm} we flip a coin secretly to get $b \in \{0,1\}$\\
\hspace*{0.5 cm} if $b = 0$, let $g = $ random function\\
\hspace*{0.5 cm} else, $g=f(k, x)$ for random $k$\\
\hspace*{0.5 cm} repeat until Mallory says ``stop'': \{\\
\hspace*{1 cm} Mallory chooses $x_i$\\
\hspace*{1 cm} we announce $g(x_i)$\\
\hspace*{0.5 cm} \}\\
\hspace*{0.5 cm} Mallory guesses latest $b$: wins if right\\
$f$ is a PRF if and only if every efficient strategy for Mallory wins with probability less than
$0.5 + \epsilon$ where $\epsilon$ is negligible. \\
Note: Mallory can always win by exhaustive search of the range of $k$ in $f(k, x)$, so need to
limit Mallory to ``practical''\\
\begin{theorem*}{If $f$ is a PRF, then $f$ is a secure MAC}\end{theorem*}
\begin{proof} By contradiction. There's a reduction going on; we wanted
to find a secure MAC, which led us to wanting to find a secure PRF
\end{proof}
}
\end{itemize}
What to send (new):\\
\ovalbox{Alice} $\xrightarrow{(m, f(k, m)}$
\ovalbox{Mallory} $\xrightarrow{(a,b)}$
\ovalbox{Bob} : accept $a$ iff $f(k, a) = b$
Assumptions:
\begin{enumerate}
\item $k$ is kept secret from Mallory
\item Alice and Bob have established $k$ in advance
\item Mallory doesn't tamper with the code that computes the function $f(k, a)$
\end{enumerate}
\subsektion{Do PRF's exist?}
Answer: maybe/ we hope so (some functions haven't lost yet)\\
Here's one: HMAC-SHA256
$$f(k, x) = S((k \xor z_1) || S((k \xor z_2) || x))$$
where $z_1 = 0x3636\dots$, $z_2 = 0x5c5c\dots$ (note that $||$ is concatenation)
and $S$ is ``SHA-256'': start with ``compression function'' $C$, taking 256 and
512 bits in, outputting 256 bits
\makebox[2cm]{}\framebox[8cm]{input}\framebox[2cm]{pad}\\
\makebox[2cm]{}\framebox[2cm]{}\framebox[2cm]{}\framebox[2cm]{}\framebox[2cm]{}
\mbox{512 bit blocks}\\
\makebox[2cm]{}\makebox[2cm]{$\Downarrow$}\makebox[2cm]{$\Downarrow$}
\makebox[2cm]{$\Downarrow$}\makebox[2cm]{$\Downarrow$}\\
\makebox[2cm]{const $\rightarrow$}\makebox[2cm]{C}\makebox[.2cm]{$\rightarrow$}
\makebox[1.4cm]{C}\makebox[4.4cm]{$\cdots$}\makebox[2cm]{output}
Note: This is subject to length extension attacks\\
\subsektion{Cryptographic Hash Functions}
They include MD5, SHA-1, SHA-?, etc: functions that take arbitrary size inputs and return
fixed size outputs that are ``hard to reverse." They are dangerous to use directly because
they don't have the properties you think/want then to have.\\
Properties of a cryptographic hash function
\begin{enumerate}
\item Collision resistance:\\
Can't find $x \neq y$ such that $H(x) = (y)$
\item Second preimage resistance:\\
Given $x$, can't find $y$ such that $H(x) = H(y)$
\item If $x$ is chosen randomly from a distribution \textit{with high entropy},
then given $H(x)$, you can't find $x$
\end{enumerate}
Better: use a PRF even if $k$ is non-secret
\subsektion{Timing Attacks}
Suppose Alice and Bob implement MAC-based integrity with the following code
\begin{verbatim}
def macCheck(a, b, key) {
correctMac = Mac(key, a);
for (i = 0; i < length; ++i) {
if (correctMac[i] != b[i]) return false
}
return true
}
\end{verbatim}
The problem? The execution time depends on the first $n$ correct characters. Mallory may observe the runtime to
gain insight on cracking the code.
\subsektion{Multiple Alice - Bob messages}
How to deal with Mallory sending messages out of order or resending old messages
\begin{enumerate}
\item append sequence number to each message:\\
Alice sends $m_0' = (0, m_0)$, $m_1' = (1, m_1)$
\item switch keys per message
\end{enumerate}