Lecture01.tex

%!TEX root = InfoSec.tex 
% Lecture 1: 10 September 2014 with Ed Felten

\sektion{1}{Message Integrity}
\subsektion{Sending messages}
\ovalbox{Alice} $\xrightarrow{m}$
    \ovalbox{Mallory} $\xrightarrow{?}$
    \ovalbox{Bob}

{\bf Threat Models:}, what adversary can do and accomplish vs. what we want to do and accomplish. We generally assume
         that Mallory is malicious in the most devious possible way, as opposed
         to random error. In this case of Alice sending Bob a message: 
\begin{itemize}
    \item Mallory can see and forge messages
    \item Mallory wants to get Bob to accept a message that Alice didn't send
    \item Alice and Bob want Alice to be able to send a message and have Bob receive it in an untampered form.
\end{itemize}

\sidenote{
    {\bf CIA Properties}
    \begin{itemize}
        \item Confidentiality: trying to keep information secret from someone
        \item Integrity: making sure information hasn't been tampered with
        \item Availability: making sure system is there and running when needed (hardest to achieve!)
    \end{itemize}
}

In this problem, the goal is only integrity. \\

\sidenote{
    {\bf Role of stories in security:}
    \begin{itemize}
        \item Pro: easy to follow
        \item Cons:
        \begin{itemize}
            \item In reality,``Alice/Bob'' is a computer; for example, a server with no common sense
            \item In reality, ``Alice/Bob'' is a person + computer (one may have some
                    knowledge that other doesn't, e.g. knowledge divergence in
                    phishing attack)
            \item We might be biased into rooting for one side or the other and lose impartiality
        \end{itemize}
    \end{itemize}
}

What to send:\\

\ovalbox{Alice} $\xrightarrow{(m, f(m))}$
    \ovalbox{Mallory} $\xrightarrow{(a,b)}$
    \ovalbox{Bob} : accept $a$ iff $f(a) = b$

where $f$ is a {\bf Message Authentication Code (MAC)}\\

Properties $f$ needs to be a secure MAC:
\begin{enumerate}
    \item deterministic (Bob needs to get the same answer that Alice got every time)
    \item easily computable by Alice and Bob
    \item not computable by Mallory (else Mallory can send $(x, f(x))$ for any
        $x$ s/he wants)
\end{enumerate}

Choosing $f$:
\begin{itemize}
    \item Picking a secret function is risky because it is difficult 
    	to quantify how likely Mallory will be able to guess the function.
    \item Use a random function...
        \begin{table}[!h]\centering\begin{tabular}{r|ll}
            input & output &\\
            \cline{1-2}
            $\emptyset$ & 01011... & $\leftarrow$ 256 coin flips\\
            0 & 101... &\\
            1 & ... &\\
        \end{tabular}\end{table}

\sidenote{
    {\bf ``secure MAC game'': Us vs. Mallory}

    \hspace*{0.5 cm} repeat until Mallory says ``stop'': \{\\
        \hspace*{1 cm} Mallory chooses $x_i$\\
        \hspace*{1 cm} we announce $f(x_i)$\\
    \hspace*{0.5 cm} \}\\
    \hspace*{0.5 cm} Mallory chooses $y \not\in \{x_i\}$\\
    \hspace*{0.5 cm} Mallory guesses $f(y)$: wins if right
    \\

    $f$ is a secure MAC if and only if every efficient (polytime) strategy for Mallory 
    wins with negligible (probability that goes to 0) probability. In other words, 
    $f$ is a secure MAC if Mallory can't do better than random guessing.
    
    \bigskip
    
    \begin{theorem*}{A random function is a secure MAC.}\end{theorem*}
    \emph{Intuition:} Mallory asks to reveal certain entries, but for $y$
        Mallory is trying to guess the result of the coin flips
}
    \item ...Or more practically, a pseudorandom function:

        {\bf pseudorandom function (PRF)}: ``looks random'', ``as good as
            random'', practical to implement

        typical approach:
        \begin{itemize}
            \item \underline{public} family of function $f_0, f_1, f_2, \dots$
            \item \underline{secret} key $k$ which is, for example, a 256 bit random value
            \item \underline{use} $f(k, x)$
        \end{itemize}
        
\sidenote{
    {\bf Kerckhoffs's principle:}

    Use a public function family and a randomly chosen secret key.
    \bigskip
    Advantages:
    \begin{enumerate}
        \item can quantify probability that key will be guessed
        \item different people can use the same functions with different keys
        \item can change key if needed (if it's given out or lost)
    \end{enumerate}
}
\\
\sidenote{
    {\bf ``PRF game'' against Mallory}:

    \hspace*{0.5 cm} we flip a coin secretly to get $b \in \{0,1\}$\\
    \hspace*{0.5 cm} if $b = 0$, let $g = $ random function\\
    \hspace*{0.5 cm} else, $g=f(k, x)$ for random $k$\\
    \hspace*{0.5 cm} repeat until Mallory says ``stop'': \{\\
        \hspace*{1 cm} Mallory chooses $x_i$\\
        \hspace*{1 cm} we announce $g(x_i)$\\
    \hspace*{0.5 cm} \}\\
    \hspace*{0.5 cm} Mallory guesses latest $b$: wins if right\\
    
    
    $f$ is a PRF if and only if every efficient strategy for Mallory wins with probability less than
    $0.5 + \epsilon$ where $\epsilon$ is negligible. \\

    Note: Mallory can always win by exhaustive search of the range of $k$ in $f(k, x)$, so need to
    limit Mallory to ``practical''\\

    \begin{theorem*}{If $f$ is a PRF, then $f$ is a secure MAC}\end{theorem*}
    \begin{proof} By contradiction. There's a reduction going on; we wanted
    to find a secure MAC, which led us to wanting to find a secure PRF
    \end{proof}
}
\end{itemize}

What to send (new):\\

\ovalbox{Alice} $\xrightarrow{(m, f(k, m)}$
    \ovalbox{Mallory} $\xrightarrow{(a,b)}$
    \ovalbox{Bob} : accept $a$ iff $f(k, a) = b$

Assumptions:
\begin{enumerate}
    \item $k$ is kept secret from Mallory
    \item Alice and Bob have established $k$ in advance
    \item Mallory doesn't tamper with the code that computes the function $f(k, a)$
\end{enumerate}

\subsektion{Do PRF's exist?}
Answer: maybe/ we hope so (some functions haven't lost yet)\\

Here's one: HMAC-SHA256
$$f(k, x) = S((k \xor z_1) || S((k \xor z_2) || x))$$
where $z_1 = 0x3636\dots$, $z_2 = 0x5c5c\dots$ (note that $||$ is concatenation)
and $S$ is ``SHA-256'': start with ``compression function'' $C$, taking 256 and
512 bits in, outputting 256 bits

\makebox[2cm]{}\framebox[8cm]{input}\framebox[2cm]{pad}\\
\makebox[2cm]{}\framebox[2cm]{}\framebox[2cm]{}\framebox[2cm]{}\framebox[2cm]{}
\mbox{512 bit blocks}\\
\makebox[2cm]{}\makebox[2cm]{$\Downarrow$}\makebox[2cm]{$\Downarrow$}
\makebox[2cm]{$\Downarrow$}\makebox[2cm]{$\Downarrow$}\\
\makebox[2cm]{const $\rightarrow$}\makebox[2cm]{C}\makebox[.2cm]{$\rightarrow$}
\makebox[1.4cm]{C}\makebox[4.4cm]{$\cdots$}\makebox[2cm]{output}

Note: This is subject to length extension attacks\\

\subsektion{Cryptographic Hash Functions}
They include MD5, SHA-1, SHA-?, etc: functions that take arbitrary size inputs and return
fixed size outputs that are ``hard to reverse." They are dangerous to use directly because
they don't have the properties you think/want then to have.\\

Properties of a cryptographic hash function
\begin{enumerate}
	\item Collision resistance:\\
		Can't find $x \neq y$ such that $H(x) = H(y)$
	\item Second preimage resistance:\\
		Given $x$, can't find $y$ such that $H(x) = H(y)$
	\item If $x$ is chosen randomly from a distribution \textit{with high entropy},
	then given $H(x)$, you can't find $x$
\end{enumerate}

Better: use a PRF even if $k$ is non-secret

\subsektion{Timing Attacks}
Suppose Alice and Bob implement MAC-based integrity with the following code

\begin{verbatim}
def macCheck(a, b, key) {
    correctMac = Mac(key, a);
    for (i = 0; i < length; ++i) {
        if (correctMac[i] != b[i]) return false
        }
    return true
}
\end{verbatim}

The problem? The execution time depends on the first $n$ correct characters. Mallory may observe the runtime to
gain insight on cracking the code.

\subsektion{Multiple Alice - Bob messages}
How to deal with Mallory sending messages out of order or resending old messages
\begin{enumerate}
\item append sequence number to each message:\\
        Alice sends $m_0' = (0, m_0)$, $m_1' = (1, m_1)$
\item switch keys per message
\end{enumerate}