Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000

Transcription

1 1 Network Security: Hashes Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000 cfl , Henning Schulzrinne Last modified October 5, 2000 Slide 1 Hashes ffl hash message digest ffl one-way function: d = h(m), but no h 0 (d) =m ffl cannot find message with given digest ffl cannot find m 1 ;m 2 where d 1 = d 2 ffl cannot find different m 2 with same digest (given some m 1 ) ffl arbitrary-length message! fixed-size hash ffl different: checksums (CRC): fast easy to compute two messages with same hash, protect against noisy channels Slide 2

2 2 Randomness ffl for 1000 inputs, any bit in the outputs 1 half the time ffl each output: 50% 1 bits ffl similar inputs uncorrelated outputs (half the bits should differ) note: efficiency not important Slide 3 Random vs. Random ffl random numbers for simulation (! Knuth, Bratley/Fox/Schrage): sequence no short cycles average = 0.5, variance,... completely predictable, repeatable white noise : flat frequency spectrum must be very efficient (multiply, add) ffl random numbers for picking keys: unpredictable by outside observer two processes at the same time different number use audio, video efficiency not very important Slide 4

3 3 The Birthday Problem (Approximate) two people with same birthday in room ffl n inputs (humans) ffl k = 365 possible outputs (birthdays) ffl n (n 1)=2 pairs of inputs ffl check for each pair: 1=k of both humans having samebirthday ffl k=2 pairs for 50% matching probability ffl n ß p k for 50% chance ffl warning: simplified, does not hold for large n! ffl or: p same = Example: n =23 p alldifferent =0:31 n(n 1) 2 1 k Slide 5 Birthday Problem, Correct compute probability of different birthdays no sample twice sampling without replacement sampling with replacement ffl random sample of n people (birthdays) taken from k (365 days) ffl k n samples with replacement ffl (k) n = k(k 1) (k n +1)samples without replacement Slide 6

4 4 Birthday Problem, Correct probability of no repetition: p = (k) n k(k 1) (k n +1) n(n 1) = kn k n ß 1 2k p = (365) n (365 n +1) = 365n = n +1 ::: = Example: n =23 p =0: n Slide 7 How Many Bits for Hash? ffl m bits, takes 2 m=2 to find two with the same hash ffl 64 bits 2 32 messages to search ffl note: different from picking h and finding m Example: ffl Alice (secretary: Bob) wants to fire Fred ffl Bob is Fred s friend ffl Bob composes two messages (same hash), one to be read, the other sent ffl generate lots of similar messages: 2 choices of wording in 32 places 2 32 messages Slide 8

5 5 Hash Functions RFC: name inventor docs entity hash sub-stages MD2 Ron Rivest RFC 1319 bytes MD4 Ron Rivest RFC bit MD5 Ron Rivest RFC bit SHS NIST 32-bit 160 Slide 9 Authentication Alice Bob r A! ψ MD(K AB jr A ) ψ r B MD(K AB jr B )! only need to compare result, not decrypt Slide 10

6 6 Computing a MIC with a Hash ffl can t just compute MD(m) ffl MIC: MD(K AB jm 1 ) ffl but: Trudy can get MIC of m 2,givenm bit blocks, append (message length, pad) allow to concatenate padding, plus additional message put secret at end of message or: use only half the bits of MD can t continue message Slide 11 Encryption: One-Time Pad ffl b 1 = MD(K AB jiv) ffl b 2 = MD(K AB jb 1 ) ffl b i = MD(K AB jb i 1 ) ffl then: b used as one-time pad ffl can t use same OTP twice use IV ffl any OTP has privacy only: if plaintext known, can encrypt anything ffl separate integrity function Slide 12

7 7 Encryption: Mixing in the Plaintext ffl similar to cipher feedback mode (CFB) ffl break message into MD-length chunks p i b 1 = MD(K AB jiv ) c 1 = p 1 Φ b 1 b 2 = MD(K AB jc 1 ) c 2 = p 2 Φ b 2. b i = MD(K AB jc i 1 ) c i = p i Φ b i Slide 13 Using Secret Key for a Hash Unix password algorithm: ffl compute hash of user password, compare to hash of password typed ffl first 8 bytes of password! secret key ffl encrypt 0 with DES-like algorithm ffl salt: 12-bit random number determines bits to duplicate in mangler when expanding 32 to 48 bits ffl salt stored with hashed result Slide 14

8 8 Hashing Large Messages Using Encryption ffl key length k, block length b ffl divide message into k-bit chunks m 1 ;m 2 ;::: ffl first, encrypt a constant with m 1 as key ffl encrypt output with m 2 as key ffl output b(= 64) too short ffl generate 2nd 64-bit quantity by reversing chunk order ffl or: use different initial constants Slide 15 Hashing Large Messages Slide 16

9 9 IV IV m1 + m1 E K E m2 E m2 + Slide 17 MD2 128-bit message digest ffl arbitrary number of bytes ffl pad to multiple of 16 bytes ffl append MD2 checksum to end ffl process whole message Slide 18

10 10 MD2 Checksum ffl m nk : byte nk of message ffl c n := ß(m nk Φ c n 1 ) Φ c n ffl ß: 0! 41; 1! 46;::: ffl supposedly based on ß Slide 19 MD2 Final Pass ffl operate on 16-byte chunks ffl 48-byte quantity q: (current digest j chunk j digest Φ chunk) ffl 18 passes over q ffl c n = c n Φ ß(c n 1 ) for n =0;:::;47; c 1 =0 ffl c 1 =(c 47 + pass #) mod 256 ffl after pass 17, use first 16 bytes as new digest ffl minimal storage: checksum, 48 bytes Slide 20

11 11 MD4 ffl any number of bits ffl operates on 32-bit quantities ffl pad to multiple of 512 bits (16 32-bit words): , message lengthin bits ffl digest = f(512-bit blocks, previous digest or initial constant) ffl 1 stage = three mangling passes ffl 16 message words m 0 ;m 1 ;:::;m 15 ffl 4 message digest words d 0 ;d 1 ;d 2 ;d 3 ffl d 0 = ;d 1 =89abcdef 16 ;d 2 = fedcba98 16 ;::: Slide 21 MD4 Operations fflbxc fflο: bitwise complement ffl x ^ y: bitwise and ffl x _ y: bitwise or ffl x + y: addition mod 2 32 ffl x ψ- y: rotate left y bits Slide 22

12 12 MD4 Pass 1: Selection ffl selection function: F (x; y; z) =(x ^ y) _ (ο x ^ z) ffl if bit x n is 1: pick F n = y n,otherwisez n d ( i)^3 =(d ( i)^3 + F (d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m i ) ψ- S 1 (i ^ 3) where S 1 (i) =3+4i, 1 10 = ; 2 10 = ;::: d 0 = (d 0 + F (d 1 ;d 2 ;d 3 )+m 0 ) ψ- 3 d 1 = (d 3 + F (d 0 ;d 1 ;d 2 )+m 1 ) ψ- 7 d 2 = (d 2 + F (d 3 ;d 0 ;d 1 )+m 2 ) ψ- 11 d 3 = (d 1 + F (d 2 ;d 3 ;d 0 )+m 3 ) ψ- 15 d 0 = (d 0 + F (d 1 ;d 2 ;d 3 )+m 4 ) ψ- 3 Slide 23 MD4 Pass 2: Majority ffl G(x; y; z) =(x ^ y) _ (x ^ z) _ (y ^ z) ffl G n =1iff 2 out of 3 bits x n ;y n ;z n are 1 ffl constant b2 30p 2c =5a d ( i)^3 = (d ( i)^3 + G(d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m X(i) +5a ) ψ- S 2 (i ^ 3) where X(i) exchange bits (2,3) with (0,1); S 2 =3; 5; 9; 13; 3;::: d 0 = (d 0 + G(d 1 ;d 2 ;d 3 )+m 0 +5a ) ψ- 3 d 1 = (d 3 + G(d 0 ;d 1 ;d 2 )+m 4 +5a ) ψ- 5 d 2 = (d 2 + G(d 3 ;d 0 ;d 1 )+m 8 +5a ) ψ- 9 d 3 = (d 1 + G(d 2 ;d 3 ;d 0 )+m 12 +5a ) ψ- 13 d 0 = (d 0 + G(d 1 ;d 2 ;d 3 )+m 1 +5a ) ψ- 3 Slide 24

13 13 Slide 25 MD4 Pass 3: Ex-Or ffl H(x; y; z) =x Φ y Φ z ffl constant b2 30p 3c =6ed9eba1 16 d ( i)^3 = (d ( i)^3 + H(d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m R(i) +6ed9eba1 16 ) ψ- S 3 (i ^ 3) where R(i) Reverses bits in i; S 3 =3; 9; 11; 15 d 0 = (d 0 + H(d 1 ;d 2 ;d 3 )+m 0 +6ed9eba1 16 ) ψ- 3 d 1 = (d 3 + H(d 0 ;d 1 ;d 2 )+m 4 +6ed9eba1 16 ) ψ- 9 d 2 = (d 2 + H(d 3 ;d 0 ;d 1 )+m 8 +6ed9eba1 16 ) ψ- 11 d 3 = (d 1 + H(d 2 ;d 3 ;d 0 )+m 12 +6ed9eba1 16 ) ψ- 15 d 0 = (d 0 + H(d 1 ;d 2 ;d 3 )+m 2 +6ed9eba1 16 ) ψ- 3 Slide 26

14 14 MD5 ffl MD4, MD5: same message padding, blocking, initial d i ffl MD4: 3 passes MD5: 4 passes ffl different functions, different shifts ffl MD4: two constants for all m i MD5: different T i = b2 32 j sin ijc Slide 27 MD5 Pass 1: Selection d ( i)^3 = (d ( i)^3 + F (d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m i + T i+1 ) ψ- S 1 (i ^ 3) where S 1 =7+5i: d 0 = (d 0 + F (d 1 ;d 2 ;d 3 )+m 0 + T 1 ) ψ- 7 d 1 = (d 3 + F (d 0 ;d 1 ;d 2 )+m 1 + T 2 ) ψ- 12 d 2 = (d 2 + F (d 3 ;d 0 ;d 1 )+m 2 + T 3 ) ψ- 17 d 3 = (d 1 + F (d 2 ;d 3 ;d 0 )+m 3 + T 4 ) ψ- 22 d 0 = (d 0 + F (d 1 ;d 2 ;d 3 )+m 4 + T 5 ) ψ- 7 Slide 28

15 15 MD5 Pass 2: Selection Selection function: G(x; y; z) =(x ^ z) _ (y^ οz) d ( i)^3 = (d ( i)^3 + F (d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m (5i+1)^15 + T i+17 ) ψ- S 2 (i ^ 3) where S 2 (i) =i(i +7)=2 +5: d 0 = (d 0 + G(d 1 ;d 2 ;d 3 )+m 1 + T 17 ) ψ- 5 d 1 = (d 3 + G(d 0 ;d 1 ;d 2 )+m 6 + T 18 ) ψ- 9 d 2 = (d 2 + G(d 3 ;d 0 ;d 1 )+m 11 + T 19 ) ψ- 14 d 3 = (d 1 + G(d 2 ;d 3 ;d 0 )+m 0 + T 20 ) ψ- 20 d 0 = (d 0 + G(d 1 ;d 2 ;d 3 )+m 5 + T 21 ) ψ- 5 Slide 29 MD5 Pass 3: Ex-Or H(x; y; z) =x Φ y Φ z as in MD4 d ( i)^3 = (d ( i)^3 + H(d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m (3i+5)^15 )+T i+33 ) ψ- S 3 (i ^ 3) where S 3 (i) =4; 11; 16; 23; 4;::: d 0 = (d 0 + H(d 1 ;d 2 ;d 3 )+m 5 + T 33 ) ψ- 4 d 1 = (d 3 + H(d 0 ;d 1 ;d 2 )+m 8 + T 34 ) ψ- 11 d 2 = (d 2 + H(d 3 ;d 0 ;d 1 )+m 11 + T 35 ) ψ- 16 d 3 = (d 1 + H(d 2 ;d 3 ;d 0 )+m 14 + T 36 ) ψ- 23 d 0 = (d 0 + H(d 1 ;d 2 ;d 3 )+m 1 + T 37 ) ψ- 4 Slide 30

16 16 MD5 Pass 4: Ex-or I(x; y; z) =y Φ (x_ οz) d ( i)^3 = (d ( i)^3 + I(d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m (7i)^15 + T i+49 ) ψ- S 4 (i ^ 3) where S 4 (i) =6; 10; 15; 21; 6;::: d 0 = (d 0 + I(d 1 ;d 2 ;d 3 )+m 0 + T 49 ) ψ- 6 d 1 = (d 3 + I(d 0 ;d 1 ;d 2 )+m 7 + T 50 ) ψ- 10 d 2 = (d 2 + I(d 3 ;d 0 ;d 1 )+m 14 + T 51 ) ψ- 15 d 3 = (d 1 + I(d 2 ;d 3 ;d 0 )+m 5 + T 52 ) ψ- 21 d 0 = (d 0 + I(d 1 ;d 2 ;d 3 )+m 12 + T 53 ) ψ- 6 Slide 31 Secure Hash Standard (SHS) ffl 64 bits! 160 bits ffl similar to MD5 ffl 5 passes ffl 5 32-bit digest words digest AjBjCjDjE: A = B = efcdab89 16 C = 98badcfe 16 D = E = c3d2e1f0 16 Slide 32

17 17 SHS ffl start with 512-bit block ffl fill 4 more blocks with recursion bit words: ffl word W n = W n 3 Φ W n 8 Φ W n 14 Φ W n 16 ψ- 1 ffl modify digest: A 0 = E +(A ψ- 5) + W t + K t + f(t; B; C; D) B 0 = A C 0 = B ψ- 30 D 0 = C E 0 = D ffl K t = b2 30p xc, wherex = f2; 3; 5; 10g[t=20] Slide 33 SHS Function f(): f(t; B; C; D) = (B ^ C) _ (ο B ^ D) for 0» t» 19 f(t; B; C; D) = B Φ C Φ D for 20» t» 39 f(t; B; C; D) = (B ^ C) _ (B ^ D) _ (C ^ D) for 40» t» 59 f(t; B; C; D) = B Φ C Φ D for 60» t» 79 Slide 34