Abstract
Message Authentication Codes (MACs) are core algorithms deployed in virtually every security protocol in common usage. In these protocols, the integrity and authenticity of messages rely entirely on the security of the MAC; we examine cases in which this security is lost.
In this paper, we examine the notion of “reforgeability” for MACs, and motivate its utility in the context of {power, bandwidth, CPU}-constrained computing environments. We first give a definition for this new notion, then examine some of the most widely-used and well-known MACs under our definition in a variety of adversarial settings, finding in nearly all cases a failure to meet the new notion. We examine simple counter-measures to increase resistance to reforgeabiliy, using state and truncating the tag length, but find that both are not simultaneously applicable to modern MACs. In response, we give a tight security reduction for a new MAC, WMAC, which we argue is the “best fit” for resource-limited devices.
Chapter PDF
Similar content being viewed by others
References
Association, A.B.: ANSI X9.19. Financial institution retail message authentication, Washington, D. C (August 1986)
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz [19], pp. 1–15
Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Desmedt [14], pp. 341–358
Bernstein, D.: Floating-point arithmetic and message authentication. Draft available as, http://cr.yp.to/papers/hash127.dvi
Bernstein, D.: Polynomial evaluation and message authentication. Draft available as, http://cr.yp.to/papers.html#pema
Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert and Handschuh [16], pp. 32–49
Bernstein, D.J.: Stronger security bounds for Wegman-Carter-Shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005)
Black, J., Cochran, M.: MAC reforgeability. IACR ePrint Archive, Report 2006/095 (2006), http://eprint.iacr.org/2006/095.pdf
Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: Fast and secure message authentication. In: Wiener [30], pp. 216–233
Brincat, K., Mitchell, C.J.: New CBC-MAC forgery attacks. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 3–14. Springer, Heidelberg (2001)
Carter, J., Wegman, M.: Universal hash functions. Journal of Computer and System Sciences 18, 143–154 (1979)
Dai, W., Krovetz, T.: VHASH security. IACR ePrint Archive, Report 2007/338 (2007), http://eprint.iacr.org/2007/338.pdf
den Boer, B.: A simple and key-economical unconditional authentication scheme. Journal of Computer Security 2, 65–72 (1993)
Desmedt, Y. (ed.): CRYPTO 1994. LNCS, vol. 839. Springer, Heidelberg (1994)
Etzel, M., Patel, S., Ramzan, Z.: Square hash: Fast message authentication via optimized universal hash functions. In: Wiener [30], pp. 234–251
Gilbert, H., Handschuh, H. (eds.): FSE 2005. LNCS, vol. 3557. Springer, Heidelberg (2005)
Halevi, S., Krawczyk, H.: MMH: Software message authentication in the gbit/second rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997)
Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008)
Koblitz, N. (ed.): CRYPTO 1996. LNCS, vol. 1109. Springer, Heidelberg (1996)
Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt [14], pp. 129–139
McGrew, D., Viega, J.: The Galois/counter mode of operation (GCM). NIST Special Publication (2005), http://cs.www.ncsl.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
McGrew, D., Weis, B.: Requirements on fast message authentication codes. IETF Internet-Draft. Intended status: Informational (February 2008), http://www.ietf.org/internet-drafts/draft-irtf-cfrg-fast-mac-requirements-01.txt
McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against message authentication codes. IACR ePrint Archive, Report 2005/161 (2005), http://eprint.iacr.org/2005/161.pdf
Preneel, B., van Oorschot, P.C.: MDx-MAC and building fast MACs from hash functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995)
Rogaway, P.: Bucket hashing and its application to fast message authentication. Journal of Cryptology: the journal of the International Association for Cryptologic Research 12, 2, 91–115 (1999)
Rogaway, P., Bellare, M., Black, J.: OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. 6, 3, 365–403 (2003)
Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz [19], pp. 313–328
Stinson, D.R.: On the connections between universal hashing, combinatorial designs and error-correcting codes. Electronic Colloquium on Computational Complexity (ECCC) 2, 52 (1995)
Wegman, M., Carter, J.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22, 265–279 (1981)
Wiener, M.J. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Black, J., Cochran, M. (2009). MAC Reforgeability. In: Dunkelman, O. (eds) Fast Software Encryption. FSE 2009. Lecture Notes in Computer Science, vol 5665. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03317-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-03317-9_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03316-2
Online ISBN: 978-3-642-03317-9
eBook Packages: Computer ScienceComputer Science (R0)