Securing Stream Ciphers (HMAC) - Computerphile
ฝัง
- เผยแพร่เมื่อ 1 ต.ค. 2024
- Bit flipping a stream cipher could help you hit the Jackpot! But not with HMAC. Dr Mike Pound explains.
Correction : "pseudo" is spelled incorrectly on the graphic.
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscom...
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
I want to meet this man. I feel like I could hear him talking from hours and not get bored.
@urbex2007 I guess it's supposed to be that way. He never looks directly into the camera, he looks towards the hidden interviewer instead.
It's his enthusiasm that does the trick! I'm absolutely caught up in his speech, unable to stop listening, getting angry at the video ending so abruptly!
You can say that again
I took the Computer Security Module and audited the Cryptography modules this year at the university of nottingham, both of which were taught by Dr Mike Pound, and honestly it was amazing. He has a great way of explaining hard concepts in a way that's easy to understand.
I'd love to meet this man too huge respect for Mike pound :)
Please sent Mike £100
Sneeze bent like 7FFF
Thank you Please!
He wants it yesterday !
Please sent Mike £100 yesterday
Please send Mike £100 today
Plase send Mike £10M
....I honestly get the feeling that Dr. Pound is wildly more intelligent that we realize or he portrays and he always seems like he has to hold back just a bit so he doesn't inadvertently say too much. Like, there is a line that shouldn't be crossed with regard to explaining things and he is constantly dancing with that line and at times has to stop for a moment and think "Ok, right, where am I?....oh, right, ok we can go further" lol
Anyone else get that??
Hes awesome man.
Brian Streufert what? He is obviously very intelligent, else he wouldnt have doctorate.
Nooo....beyond that level even!
Brian Streufert what level do you mean? Omnipotent/supernatural level?
Would you say that you find his intelligence artificial?
I get what you mean. Hopefully like Robert Miles he starts his own channel
Dr. Pound! This guy could read me his shopping list and I would still watch it
I'm sure he would manage to make it hilarious :)
This bloke is a well-rounded pundit of computer science--vision, cryptography, algorithms, all the good stuff.
HE'S BACK! ALL ABOARD THE TRAIN TO POUND TOWN...
Is it wrong to feel kinda in love with him? I might have completed my studies if he were my teacher.
He's the archetype for the perfect teacher to engage students in learning. He combines easy grasped examples with technical concepts and makes even very complex subjects easily understandable even to a slightly learned layman.
Absolutely love these computerphile videos. To the team: please do not stop making more videos!
Love this series, but could you please cover Elliptic curve Cryptography? I feel like this channel explains everything the best, so it would be much appreciated.
djb and Tanja Lange have a great intro to the subject from 31c3
@@foobargorch Thanks for that!
Mike is implicitly asking us to send him £100
£900 *
Sent*
Something I didn't understand. Around 5:00, after introducing the first "naive" solution to the problem of tampering the stream cipher - i.e. computing a hash - Dr. Mike rejects this immediately because the middle-man can easily tamper the message and then compute a hash. what I don't understand is how can he compute the hash of the unencrypted message? All he has is the encrypted message, and if the hash is of the un-encrypted, how can he compute this?
I don’t understand either. Also if you send the hash encrypted too, there would in my mind absolutely be no way to reconstruct it
This guy is my favorite!
This video seemed to end without much of a conclusion...
Great video. I love Mike Pound - he is my favorite person on computerphile
Just wait until you meet Mike Hawk
Someday you should do a video on AEAD, which is more modern than plain old Stream cipher.
just had an hmac nightmare, this came a bit too late
5:13 But why don't we encrypt the checksum too? In other words be append hash of the message right *before* we do the encryption
I’d love to know the reason too
make a 2 hour video with this guy, i could listen to him all day
Well, do not forget AES CBC is weird, it’s a block cipher, though because of the XOR chaining you can also do this there
DONT QUIT THE VIDEO JUST YET 😂
I have a big ask. It may take several videos but I should love to see a simple but complete differential cryptanalysis. And a set on linear cryptanalysis. We hear about it all the time but it means very little to most of us. There are many books on it but these are hard to follow, a video would be much easier and better. Thanks! If you do it I shall sent a much bigger 'thank you', capital letters and all!
The encryption related Computerphile videos are some of my favorite.
This guy couldn't look any more mischievous if he wore a black henchman's mask befitting a 70s' Batman episode.
So I guess the length extension video never came out sed.
The seccond method can actually be just as secure if it is guaranteed that none of the valid messages can be a simple concatenation of 2 or more other valid messages. The easiest way to guarantee it is just to always put a total message length block somewhere inside the protected message. This method is a little bit faster than the HMAC.
I like the videos that Dr. Pound does on cryptography and cryptoanalytics, but it would be nice if he could get into more of how the math works behind the concepts. Not just describe the variables.
I think in the video, we were shown this as a non-working solution: encrypt(message)|hash(encrypt(message))
Why couldn't you do this: encrypt(message|hash(message))
that's essentially what signing is, you take checksum and encrypt it with the private key - and what you get is a signature.
but both keys are private...
Greg Jaskiewicz j
Greg Jaskiewicz o
Christopher Smith, yes, I was definitely missing an explanation for why that is a bad idea!
Hash length extension attack video ?
100 pounds? Thanks! I'm still waiting though...
I was just writing in the middle of writing an RFC6238 TOTP in C++ (because I can't find any that compile in Code::Blocks to run in cmd.exe. Obviously over on Linux its all just works.)
You can see at 5:44 the spider bite in Tobey Maguire's hand
idk why but this reminds me of the office
iPad, mac, illuminati
The iLluminati is the new smart-bulb by Apple I guess :D
seeing as apple stole the brand iPhone from another company, more or less, this should really help the conspiracy theorists make a compelling argument, since it'll be that much harder to google =)
There is a guy named Please who pleases Mike.
Anyways, what is special about CMAC and Poly1305?
Great video! Can you also do one talking about HMAC-before-encrypt vs encrypt-before-HMAC? encrypt(message)|hmac(key,encrypt(message)) vs encrypt(message|hmac(key,message))
Confidentiality isn't the objective of HMAC, so encrypting the final message doesn't make sense. HMAC provides authentication and integrity
@@hardikmaru3311 You would want to encrypt then HMAC the encrypted message. Also known EtA
Why doesnt this work?:
encrypt(message hash(message))
well, it does work.
It does, but I think the intent was to secure an arbitrary message without requiring knowledge of what cypher it was using. Other people could bit flip all they want but unless they can decode the stream in the first place they can't correctly re-encode a new hash.
It's a stream cipher, so you shouldn't be able to hash the whole message ? (I think)
It makes you vulnerable to padding oracle and other chosen ciphertext attacks. That construction is called MAC then Encrypt, and is insecure if the encryption scheme is vulnerable to such attacks (many are, and are designed to use a MAC of the ciphertext to remove the vulnerability).
this is worse than MAC-then-encrypt, since the hash isn't signed, a chosen plaintext attack will also allow forgery, for stream ciphers and non chaining block cipher modes:
You choose m_1, and get c_1:
c_1 = k_1 ^ (m_1 || H(m_1))
You can recover the key stream (but not with a chaining block cipher mode):
k_1 = c_1 ^ (m_1 || H(m_1))
Forge ciphertext for arbitrary message m_2:
c_2 = k_1 ^ (m_2 || H(m_2))
In other words, the hash only provides integrity checking, not authentication
What about video encryption is this stream cypher?
Please, talk about AEAD, Chacha20, Salsa20 and Crypto Pairing.
Why not just do SHA2( msg | key ) and not SHA2( key | msg ) like this the malicious appends can only get SHA2( msg | key | malicious ) but the check will be made SHA2( msg | malicious | key) ?
Wait a sec? So a Block cipher changes multiple bits? so if I changed a single letter/bit, in the message that in turn makes the entire message of letters before and after get altered also??? I know of alot of coding systems but as far as I'm aware I think everything usually is 1 to 1, example if we used Enigma 1 letter in 1 letter out sorta like a substitution! If we Transposition it then the same amount of letters move around, If we playfair it then we still end up with same count of letters, in fact I can't think of any 1 situation where 1 plaintext letter is fully responsible for keeping the entire rest of the message mathematically in tact The only thing I can think of is... if you Take 8 Letters that are 8 Bits long in Ascii and Put the rows of numbers 1 by 1 under until you get like 8x8 thus 64 bits but instead grouping all the 1st bits and making an Ascii character out of then then all the 2nd bits until all 8 is done then substitute that maybe along with a 1 time pad, then I can see how maybe by chance changing 1 Ascii can sometimes Affect many characters, unless I'm not seeing something here? So example lets say A=001 B=010 C=100 R=111and our word was Cab then 100, 001, 010 if stacked could be 100, 001, 010 which doesn't change anything but lets try BAR, 010, 001, 111 we get now, 001, 101, 011 now this is kinda neat because we have new numbers which might be mapped to a question mark or something if this was 8 bit ascii but then math to it could change it yet again. I can't 100% see how a single change normally can affect the outcome of how a message works, but I can see in my example how sometimes hit or miss it can affect the entire message! I will have to look at block ciphers to maybe understand, but for most part from my experience the bulk of codes/encryption almost always is the Plain Text being heavily altered with some steps where if you isolated any letter usually, you get the plaintext of that specific letter! Equally speaking if deleting a letter anywhere or changing a letter anywhere also usually doesn't disturb a message most times in all of it's entirety. However what I can say is... if it is possible where 1 Letter is the only way to crack the code if unchanged and all characters have that exact same property and must be One! Then yes that would be 100% valuable and secure as you can just take that and put that through 1 to 1 ciphers knowing there was a step involved that binds all of them together as a whole as one unit.
*Sees doc pound*
*EXTERMINES THAT LIKE BUTTON*
You say hases aren't for disks, but I'm pretty sure full disk encryption needs to have something like that...
I remember hmacs being mentioned in the WiiU external drive encryption scheme...
Why do I get the feel that this guy was a car mechanic in a previous life?
I dunno about you guys, but I have trouble having a clear understanding of what this guy talks about when he explains things. It's hard to grasp. No disrespect though.
Is this part of a series? He mentions the SHA video as if I'm supposed to have seen it before, but I can't find an official playlist with computer security related videos från computerphile.
The teaching is awesome and he explains greatly, but i can't help but to notice how every video seems like an episode from The Office
06:33 would adding length of message (excluding added length) in message prevent append attack?
Psuedo?
The questions of the guy with the camera don't sound very clearly..
Why not instead of hashing the encrypted message, instead hash the original message? That way a middle-man wont be able to compute the hash without decrypting the entire message.
The captions on this aren''t great, any way for me to edit?
could you hash the message and append the hash before encrypting it and then verifying i after decryption, or are there any security implications that make that a bad idea?
Cameraman, get a mic if you're going to be asking questions
How do the sender and receiver get same key? Do they use key exchange protocols?
Actual HMAC stuff starts at 4:00
Until then, he's pointing out flaws with substitution in a stream cipher.
So... do you HMAC then encrypt or encrypt then HMAC? And for the love of Turing, please clean your screen. :)
IIRC, both are valid approaches and both are used in practice.
Both are used. However, the new consensus is to encrypt then hmac. It allows you to skip decryption when the hmac is invalid. Thus allowing you to break earlier in your algorithm, resulting in less implementation mistakes. For example with block ciphers it might still be possible to exploit a padding oracle if the attacker can distinguish between the decryption failing and the hmac check failing, which in the case of never touching the encrypted text can never happen.
if you use a random ID, you need to keep track of what it's identifying, which means you need to store that data, and storage scales as the number of things you need to keep track of. Using an authenticated encryption lets you delegate the storage to an untrusted party, without revealing the contents and without compromising your trust in the data, and only need to store a small amount of unchanging data.
From 6:10 to 6:42 I got completely lost. I didn't understand what you were talking about and also couldn't make out some words. Could somebody explain it to me or just point me to the video I missed to understand that?
The Merkle-Damgard construction is a way of taking what's called a compression function, which has nothing to do with compression like zip files - that takes two blocks of constant length and produces one block of constant length that is a "mix" of the two inputs, and extends it to any message length by splitting the message into blocks, and chaining the blocks together, so you "compress" an initialization vector with the first block, and then take the output of that and the next block and "compress" that...
Since the final hash is output of the last compression operation, if you know the hash of a message, you can produce the hash of any of its suffixes, even if you don't know the original message.
Using his example, you could add additional 0s to the amount, instead of changing the most significant digit, even if it was prefixed with a key.
By adding another hashing step that also depends on the key, you can prevent this kind of tampering, which is known as a length extension attakc.
"We can actually change the amount get sent, which unfortunately is a purely hypothetical example, I don't actually get any money" 😂
I've seen SHA512 being used as a hash function. Does it have the same flaws as SHA256?
is it just me or are they spelling "pseudo" as "psuedo"?
+lonerboy013 I thought that didn't quite look right! Should've checked! >Sean
CBC mode for block ciphers
YAY he finally solved the ghost cube
But HMACs can't guarantee Non-repudiation.
#DiginalSignaturesFTW
Damn, my corporate security training videos are starting to sink in.
Jeff Irwin I didn't know digital certs did nonrepudiation. With IPSEC it, each packet has a serial number and only a finite number of them are available for the length of the session. I was not aware such a mechanism existed in PKI.
Disregard my message. I confused nonrepudiation with anti-replay protection. The process I described with IPsec prevents a MITM from recording and replaying a series of packets.
But digital signatures can't guarantee plausible deniability... check out why signal protocol uses shared secrets for signing instead, it's a very subtle argument and I think one that can't be dismissed easily, but basically the idea is that there's a useful distinction to be drawn between letting the intended recipient verify that the data is authenticated vs. letting the recipient prove this to others. IOW, nonrepudiation is not always desirable.
The right tool for the job =)
> Macs, as we call them, are attached to most of the messages that get sent on the internet.
time to become a millionaire
Well, the subtitles say it's 'Max' not Macs
Little confusing the example....
Great vid! But, those fingerprints on Mike's monitor are really upsetting :p
Lol and his name is Mike Pound
I'm a newbie, is hmac reversible?
Should have watched this video before my midterm...finally I feel like I know something. Thanks!
Switching off is probably not what anyone has ever done that clicked on a Computerphile video, especially with Mike.😁
Dr. Mike is the best! And this totally reminds me of the Office, especially with the personal interviewing and the random zooms and close-ups 😂 I also love the washing machine animation!!
What if instead of appending the key you prepend the key. It's secret so no one would know what the state would be after the key.
If we insert the hash (k1|m) at the start of message itself won't it also solve the problem?
May be it s not efficient to prepend than append but i think it'l also solve the problem, but i would like to know your opinion
why not just append a salt and signature of the message+salt after that BEFORE applying the cipherstream? The attacker could change the message, but they're going to have a pretty hard time guessing what the salt is to compute the hash and even if they did they wouldn't be able to XOR it to the state the recipient expects.
its said if you can explain something in simple words, you dont understand the concept. But you sir are just a marvel. Thanks alot.
Thanks. Studying for CISSP. I just subscribed!
what exactly stops us from doing h(m|k) as opposed to h(k|m)? we don't need to worry about resuming the internal state of the hash function because that would only allow us to append to the key, not the message
How are you able to explain topics so easily.Seriously, it seems like child's play when I understand things like this
You're helping me so much studying for my Security+ exam!!!!
I feel like these videos always just scratch the surface and don't go in depth too often. I really would like to see some in depth content for the loyal subscribers!
Why we just hash before encrypt all together message and hash? we could not compute a new hash for the changed message since we would need to know the encryption key
Why not just append the key to the end of the message before taking the hash instead of prepending it to the beginning? Wouldn't that solve length-extension?
Something implicit in the video: the key in a SC is the same length than the message.
Fantastic expl. The guy is a genius
I like the void cube and ghost cube on the shelf. :D
😏 Ghost Cube has finally been solved 🙌
tl;dw you can just use a non-vanilla hash with a salt and they couldn't just reproduce the same hash function
I didn't even know HMACs existed until I came across them at work - it's good to know a bit more about them.
so why not just use digital signatures? when would we use HMAC as oppsed to using signtures?
I freaking love this dude. Why aint this guy my teacher.
Didn't understand this video. Too much abstraction.
You also need to handle deleting a message [Alice says pay Bob £100] Alice might want to remove that message.
Equally Alice might want to add a message saying Bob to pay Alice £100
merkle proofs are useful for confirming the existence of a message, but proving a message did not exist requires something like a blockchain or a trusted third party
So, the outerpad and innerpad are just arbitrary constants that are used to derive the two separate keys which are then used to hash the message authentication code?
I've used you guys so often in my degree, can you guys start a Patreon so that myself and others can donate?
I have an exam in computer security coming up soon. These videos are golden
There's no video about the length extension attack yet if i see right :(
Helps me study for CISSP, thanks!
Does anyone know, what's inner pad and outer pad which he mentions at 8:10?
0:53
Left upper corner, that ghost cube :D
Very few understand this.
Gotta love the paper he uses with the sprocket holes. Who does that ?!?! LoL
100 pounds to Dr Pound
👍👍