Question: Suppose that Alice is using a secure MAC to authenticate currency transfer orders when communicating with her bank. For example, she sends the message Send
Suppose that Alice is using a secure MAC to authenticate currency transfer orders when communicating with her bank. For example, she sends the message "Send $1 to Sponge" and a tag computed over this message when communicating with her bank (no encryption is involved). Both Alice and the bank hold the secret key k of the MAC to allow verifying tag. If an attacker (eavesdropper) managed to intercept this message and its tag, he could send this message many times so that multiple dollars would be transferred out of Alice's account. To avoid this attack, Alice keeps a counter C which starts at value 1 and increments by 1 each time. To instruct the bank to perform the first transfer, Alice will produce two tags: one computed as tag MAC ("Send $1 to Sponge) and another computed as tag' = MACR("Current counter value is 1"). The bank will also keep track of the counter value and verify both tags, and that the counter value received is exactly 1 greater than the last counter value from Alice. For her next transfer, Alice increments the counter to C = 2, and for example sends money to Ronald with the proper tags over the transfer and the counter value as before and so on. 1. Consider an attacker (eavesdropper) who observes all of the communication between Alice and her bank. With this modified scheme, what kind of damage is prevented? What kind of damage can this attacker still cause? Provide informal but convincing arguments. 2. Will your answer be different if the counter is part of the same message? (i.e., send one message and one tag such that tag = MAC ("current counter value is 1, send $1 to Charlie") and so on). Provide informal but convincing arguments. Suppose that Alice is using a secure MAC to authenticate currency transfer orders when communicating with her bank. For example, she sends the message "Send $1 to Sponge" and a tag computed over this message when communicating with her bank (no encryption is involved). Both Alice and the bank hold the secret key k of the MAC to allow verifying tag. If an attacker (eavesdropper) managed to intercept this message and its tag, he could send this message many times so that multiple dollars would be transferred out of Alice's account. To avoid this attack, Alice keeps a counter C which starts at value 1 and increments by 1 each time. To instruct the bank to perform the first transfer, Alice will produce two tags: one computed as tag MAC ("Send $1 to Sponge) and another computed as tag' = MACR("Current counter value is 1"). The bank will also keep track of the counter value and verify both tags, and that the counter value received is exactly 1 greater than the last counter value from Alice. For her next transfer, Alice increments the counter to C = 2, and for example sends money to Ronald with the proper tags over the transfer and the counter value as before and so on. 1. Consider an attacker (eavesdropper) who observes all of the communication between Alice and her bank. With this modified scheme, what kind of damage is prevented? What kind of damage can this attacker still cause? Provide informal but convincing arguments. 2. Will your answer be different if the counter is part of the same message? (i.e., send one message and one tag such that tag = MAC ("current counter value is 1, send $1 to Charlie") and so on). Provide informal but convincing arguments
Step by Step Solution
There are 3 Steps involved in it
Get step-by-step solutions from verified subject matter experts
Study Help