Cryptography Authentication Codes

shoulderslyricalΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

49 εμφανίσεις



Cryptography


Authentication Codes


When Alice sends a message to Bob (encrypted or not), how can Bob
be sure that it was Alice who sent the message, and how does he
know that the message was not altered by someone else during its
transmission.


This p
oints to the need for an
authentication code.


The mathematical setting:


There are three participants: Alice, Bob, and Oscar.


Alice and Bob want to communicate over an insecure channel (e.g.,
by e
-
mail, fax, or cell
-
phone). Oscar (the ``bad guy'') has

the ability
to introduce his own messages into the channel and/or to modify
existing messages.


Consider two types of attacks by Oscar.


When Oscar places a (new) message
m
' into the channel, it is called
impersonation
. When Oscar sees a message
m

and
changes it to a
(different) message
m
'


m
, it is called
substitution
.


As an example, suppose that Bob is Alice's stockbroker. When Alice
sends a message to Bob, such as "buy 1000 shares of Acme stock'',
she would not be very happy if Oscar changed
buy

t
o
sell
!


The goal of an authentication code is to allow Bob to detect

with high probability when such an attack has taken place.





Definition:

An
authentication code
is a four
-
tuple (
S, A, K, E
),
where the following conditions are satisfied.




S

is a fin
ite set of
source states



A
is a finite set of
authenticators
.



K

is a finite set of
keys.



For each
k



K
, there is an
authentication rule e
k



E
,

where
e
k
: S


A.




How an authentication code works:


Alice and Bob jointly choose a secret key
k



K

at
random and
ahead
of time.


A source state is just the information that Alice wants to

communicate to Bob (e.g., ``buy 100 shares … '').


When Alice wants to communicate the source state
s



S

to Bob,
she uses the authentication rule
e
k

to construct the

authenticator


a

=
e
k
(
s
) .


The
message

m

is formed by concatenating s and
a
, i.e.,
m

= (
s
,
a
).


The message
m

is then sent over the channel.


When Bob receives
m

, he verifies that
a

=
e
k
(
s
) to authenticate the
source state
s

. If
a



e
k
(
s
), th
en Bob is able to detect that an attack
has taken place.







Let
P
0
denote the probability that Oscar can deceive Bob by
impersonation (sending a message in Alice's name)



Let
P
1
denote the probability that Oscar can deceive Bob by
substitution (changing Al
ice's sent message)


Theorem
: Suppose there is are
m
MOLS(
n
). Then there is an
authentication code for
m

source states, having
n
authenticators and

n
2

keys, in which
P
0

=
P
1

= 1/
n
.


Note that this is the best possible with
n
authenticators.


Example:


Supp
ose that Alice and Bob want at least 300 source states (so they
need at least 300 MOLS). Now suppose that they want a security
level of 1/5000. This says that they want MOLS of order
n


5000.


The easiest way to satisfy these requirements is to take
n
t
o be the
smallest prime greater than 5000. This is 5003. They construct 300
MOLS(5003) (we saw how to do this earlier).

Call these
L
1
,
L
2
, …,

L
300
.


They also have a previously agreed upon secret key
k



this will be an
ordered pair of numbers from 1 t
o 5003 (say
k

= (1244, 346)).


Then, say if Alice wants to send the source message
s

= 219 (this
could stand for "buy 219 shares of Acme).


Alice computes her authenticator

a = e
(1244, 346)
(219) =
L
219
(1244, 346),


and sends the message
m

= (219,
a
) to

Bob. Bob can check the
authenticity of
m
by looking at the (1244,346) cell of the
L
219
.

If it is not
a

then he knows that something is wrong.

Latin Square Statistical Designs and Covering Arrays




Latin squares provide a efficient way to test for two way

interaction among several variables
.


Example:

Suppose there are
n

varieties of wheat to be tested with
n

fertilizers and
n

insecticides. Then there are
n
3

variety
-
fertilizer
-
insecticide triples to be tested. To reduce experimental cost we can
use a
La
tin Square Design
.




Let the symbols of an
n


n
latin square correspond to the wheat
varieties varieties.



Let the rows correspond to the
n

fertilizers



Let the columns correspond to the
n

insecticides

Can test each variety of wheat with each of the fertiliz
ers and
insecticides in
n
2

tests.


n
= 4









i
1

i
2

i
3


i
4



f
1






f
2






f
3






f
4



Note that wheat variety 1 is matched with the four

fertilizer
-
insecticide pairs (1,1), (2,3), (3,4) and (4,2), so is tes
ted
once with each fertilizer and each insecticide.


An analysis of variance can determine the significance of the data
and whether or not one of the fertilizers or insecticides is better than
the others.



This can easily be generalized to more than thre
e variables by using
orthogonal latin squares.

1 2 3 4

3 4 1 2

4 3 2 1

2 1 4 3




Write the 16 tests in a

3

16 array:





rows



columns



symbols





This is called an
Orthogonal Array
.
This one is an

OA(3,4
)



Fact: The existence of
k

MOLS(
n
) is equivalent to
the

existence of an
OA
(
k,n
)
.

















1 1 1 1 2 2 2 2 3 3 3 3 4 4 4 4

1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4

1 2 3 4 3 4 1 2 4 3 2 1 2 1 4 3



































1 2 3 4

2 1 4 3

3 4 1 2

4 3 2 1

OA’s have been generalized to
Covering Arrays.


(Basically, these are arrays that cover all pairs of variables)


An example

(Cohen, Dalal, et. al. (1996))
:


ATT is testing a telephone network servic
e called AIN (Advanced
Intellegent Network). This is an automated phone service.


There are four parameters:


1.

Type of announcement



this has three values



None



Interruptible



Noninterruptible


2.

User input of digits



No digits



Fixed number of digits



Variable
number of digits terminated by the # key


3.

Make a billing record



Yes



no


4.

User access



Local phone



Long
-
distance trunk


(
none

for announcement and
none

for the number of digits is not
permitted)


Note that to test all pairwise interactions among the 4 paramet
ers
would take 32 = (3


3


2


2)


4 tests.



The following covering array shows that all pairwise combinations of
the parameter values can be tested for in 8 tests (a 75% reduction in
experimental cost)




Test

1

2

3

4

5

6

7

8

Announce.

n
one

none

i
nte
r.

i
nter.

i
nter.

n
on
-
int

n
on
-
int

n
on
-
int

Digits
wanted

fixed

var

none

fixed

var

none

fixed

var

Billing

no

yes

no

yes

yes

yes

yes

no

Access
type

line

trunk

trunk

trunk

line

line

trunk

trunk






Much research has been done to design good covering arra
y s