Beruflich Dokumente
Kultur Dokumente
Message
integrity
Secrecy
vs.
integrity
• So
far
we
have
been
concerned
with
ensuring
secrecy
of
communica9on
k k
m
…price=10…
k
cookie,
t
cookie
cookie, t
k
cookie
Secrecy
vs.
integrity
• Secrecy
and
integrity
are
orthogonal
concerns
– Possible
to
have
either
one
without
the
other
k k
m
m1m2…m’n
c
c
←=
Eknc
⊕k
m
(m)
Message
authen9ca9on
code
(MAC)
• A
message
authen0ca0on
code
is
defined
by
three
PPT
algorithms
(Gen,
Mac,
Vrfy):
– Gen:
takes
as
input
1n;
outputs
k.
(Assume
|k|≥n.)
– Mac:
takes
as
input
key
k
and
message
m∈{0,1}*;
outputs
tag
t
t
:=
Mack(m)
– Vrfy:
takes
key
k,
message
m,
and
tag
t
as
input;
outputs
For
1
(“accept”)
all
m
and
aoll
r
0k
o
(“reject”)
utput
by
Gen,
Vrfyk(m,
Mack(m))
=
1
Security?
• Only
one
standard
defini9on
• Threat
model
– “Adap9ve
chosen-‐message
a@ack”
– Assume
the
a@acker
can
induce
the
sender
to
authen9cate
messages
of
the
a6acker’s
choice
• Security
goal
– “Existen9al
unforgeability”
– A@acker
should
be
unable
to
forge
a
valid
tag
on
any
message
not
authen9cated
by
the
sender
m1,
t1
k
m2,
t2
t1
:=
Mack(m1)
…
t2
:=
Mack(m2)
…
mi,
ti
ti
:=
Mack(mi)
m’,
t’
k
Vrfyk(m’,
t’)
??
Security?
• Is
the
defini9on
too
strong?
– We
don’t
want
to
make
any
assump9ons
about
what
the
sender
might
authen9cate
– We
don’t
want
to
make
any
assump9ons
about
what
forgeries
are
“meaningful”