diff --git a/content/CSE4303/CSE4303_L10.md b/content/CSE4303/CSE4303_L10.md new file mode 100644 index 0000000..1ad7123 --- /dev/null +++ b/content/CSE4303/CSE4303_L10.md @@ -0,0 +1,175 @@ +# CSE4303 Introduction to Computer Security (Lecture 10) + +## MACs + +### MACs from Hash Functions + +Construction: + +$S_{big}(k, m) = S(k, H(m))$ +$V_{big}(k, m, t) = V(k, H(m), t)$ + +If: +- $S$ is secure MAC for short messages +- $H$ is collision resistant + +Then $S_{big}$ is secure MAC. + +If collision exists: +If $H(m_0) = H(m_1)$, +query tag for $m_0$, +forge $(m_1, t)$. + +### HMAC + +$HMAC(k, m) = H((k \oplus opad) \| H((k \oplus ipad) \| m))$ + +Used in: +- TLS +- IPsec +- SSH + +Properties: +- Built from hash function (for example SHA-256) +- Provably secure under PRF assumptions + +### Timing Attacks on MAC Verification + +Problem: +Byte-by-byte comparison leaks timing information. + +Attack: +1. Send random tag. +2. Guess first byte. +3. Detect timing increase. +4. Repeat per byte. + +Defense 1: +Constant-time comparison loop. + +Defense 2: +Double-HMAC comparison: +Compare $HMAC(k, mac)$ with $HMAC(k, sig)$. + +### Authenticated Encryption (AE) + +AE provides: +1. Confidentiality (CPA security) +2. Ciphertext integrity + +Cipher: + +$E : K \times M \times N \to C$ +$D : K \times C \times N \to M \cup \{\bot\}$ + +Ciphertext integrity: +Attacker cannot produce new valid ciphertext. + +Theorem: +AE implies CCA security. + +Implication: +If $D(k, c) \neq \bot$, +receiver knows sender had key. + +### Encrypt-then-MAC + +Correct construction: + +1. Compute $c = E(k_E, m)$ +2. Compute $tag = S(k_I, c)$ +3. Send $(c, tag)$ + +Encrypt-then-MAC is always secure ordering. + +### AE Standards + +- GCM: CTR mode encryption then polynomial MAC +- CCM: CBC-MAC then CTR mode encryption +- EAX: CTR mode encryption then CMAC + +All support AEAD: +Authenticated Encryption with Associated Data. +Example: authenticate packet headers but do not encrypt them. + +## Asymmetric Crypto Authentication: Digital Signatures + +### Motivation + +Goal: +Bind document to author. + +Digital problem: +Anyone can copy a visible signature from one document to another. + +Solution: +Make signature depend on document contents. + +### Digital Signature Scheme + +Components: +- Secret signing key $sk$ +- Public verification key $pk$ +- $Sign(sk, m) \to signature$ +- $Verify(pk, m, sig) \to$ accept or reject + +Property: +Anyone can verify. +Only signer can produce valid signature. + +### Signing a Certificate + +Process: +1. Compute hash of data. +2. Sign hash with secret key. +3. Attach signature to data. + +Verification: +1. Compute hash of received data. +2. Verify signature using public key. +3. Accept if hashes match. + +### Software Signing + +Software vendor: +- Signs update with secret key. +- Publishes update and signature. + +Clients: +- Use vendor public key. +- Verify signature. +- Install only if valid. + +Allows distribution via untrusted hosting site. + +## Review: Three Approaches to Data Integrity + +1. Collision resistant hashing + Requires secure read-only public space. + No secret keys. + Suitable for public verification. + +2. MACs + Requires shared secret key. + Must compute new MAC per user. + Suitable when one signs and one verifies. + +3. Digital signatures + Requires long-term secret key. + Public verification. + Suitable when one signs and many verify. + +## Crypto Summary + +Cryptographic goals: +- Confidentiality +- Data integrity +- Authentication +- Non-repudiation + +Primitives: +- Hash functions +- MACs +- Digital signatures +- Symmetric ciphers +- Public key ciphers diff --git a/content/CSE4303/CSE4303_L9.md b/content/CSE4303/CSE4303_L9.md index 165787e..e1418dd 100644 --- a/content/CSE4303/CSE4303_L9.md +++ b/content/CSE4303/CSE4303_L9.md @@ -218,6 +218,8 @@ Public verifiability works if read-only space is trusted. ## Symmetric Crypto Authentication: MACs and AE +This section can also be found here [CSE442T Introduction to Cryptography (Lecture 18)](https://notenextra.trance-0.com/CSE442T/CSE442T_L18/#chapter-5-authentication) + ### Message Authentication Codes (MACs) Definition: @@ -250,175 +252,3 @@ then derived MAC is secure. Condition: $1 / |Y|$ must be negligible. Example: $|Y| = 2^{80}$. - -### MACs from Hash Functions - -Construction: - -$S_{big}(k, m) = S(k, H(m))$ -$V_{big}(k, m, t) = V(k, H(m), t)$ - -If: -- $S$ is secure MAC for short messages -- $H$ is collision resistant - -Then $S_{big}$ is secure MAC. - -If collision exists: -If $H(m_0) = H(m_1)$, -query tag for $m_0$, -forge $(m_1, t)$. - -### HMAC - -$HMAC(k, m) = H((k \oplus opad) \| H((k \oplus ipad) \| m))$ - -Used in: -- TLS -- IPsec -- SSH - -Properties: -- Built from hash function (for example SHA-256) -- Provably secure under PRF assumptions - -### Timing Attacks on MAC Verification - -Problem: -Byte-by-byte comparison leaks timing information. - -Attack: -1. Send random tag. -2. Guess first byte. -3. Detect timing increase. -4. Repeat per byte. - -Defense 1: -Constant-time comparison loop. - -Defense 2: -Double-HMAC comparison: -Compare $HMAC(k, mac)$ with $HMAC(k, sig)$. - -### Authenticated Encryption (AE) - -AE provides: -1. Confidentiality (CPA security) -2. Ciphertext integrity - -Cipher: - -$E : K \times M \times N \to C$ -$D : K \times C \times N \to M \cup \{\bot\}$ - -Ciphertext integrity: -Attacker cannot produce new valid ciphertext. - -Theorem: -AE implies CCA security. - -Implication: -If $D(k, c) \neq \bot$, -receiver knows sender had key. - -### Encrypt-then-MAC - -Correct construction: - -1. Compute $c = E(k_E, m)$ -2. Compute $tag = S(k_I, c)$ -3. Send $(c, tag)$ - -Encrypt-then-MAC is always secure ordering. - -### AE Standards - -- GCM: CTR mode encryption then polynomial MAC -- CCM: CBC-MAC then CTR mode encryption -- EAX: CTR mode encryption then CMAC - -All support AEAD: -Authenticated Encryption with Associated Data. -Example: authenticate packet headers but do not encrypt them. - -## Asymmetric Crypto Authentication: Digital Signatures - -### Motivation - -Goal: -Bind document to author. - -Digital problem: -Anyone can copy a visible signature from one document to another. - -Solution: -Make signature depend on document contents. - -### Digital Signature Scheme - -Components: -- Secret signing key $sk$ -- Public verification key $pk$ -- $Sign(sk, m) \to signature$ -- $Verify(pk, m, sig) \to$ accept or reject - -Property: -Anyone can verify. -Only signer can produce valid signature. - -### Signing a Certificate - -Process: -1. Compute hash of data. -2. Sign hash with secret key. -3. Attach signature to data. - -Verification: -1. Compute hash of received data. -2. Verify signature using public key. -3. Accept if hashes match. - -### Software Signing - -Software vendor: -- Signs update with secret key. -- Publishes update and signature. - -Clients: -- Use vendor public key. -- Verify signature. -- Install only if valid. - -Allows distribution via untrusted hosting site. - -## Review: Three Approaches to Data Integrity - -1. Collision resistant hashing - Requires secure read-only public space. - No secret keys. - Suitable for public verification. - -2. MACs - Requires shared secret key. - Must compute new MAC per user. - Suitable when one signs and one verifies. - -3. Digital signatures - Requires long-term secret key. - Public verification. - Suitable when one signs and many verify. - -## Crypto Summary - -Cryptographic goals: -- Confidentiality -- Data integrity -- Authentication -- Non-repudiation - -Primitives: -- Hash functions -- MACs -- Digital signatures -- Symmetric ciphers -- Public key ciphers