Network Security: Hashes

Transcription

1 1 Network Security: Hashes Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000 cfl , Henning Schulzrinne Last modified October 5, 2000

2 2 Hashes hash message digest one-way function: d = h(m), but no h 0 (d) =m cannot find message with given digest cannot find m 1 ;m 2 where d 1 = d 2 cannot find different m 2 with same digest (given some m 1 ) arbitrary-length message! fixed-size hash different: checksums (CRC): fast easy to compute two messages with same hash, protect against noisy channels

3 3 Randomness for 1000 inputs, any bit in the outputs 1 half the time each output: 50% 1 bits similar inputs uncorrelated outputs (half the bits should differ) note: efficiency not important

4 4 Random vs. Random random numbers for simulation (! Knuth, Bratley/Fox/Schrage): sequence no short cycles average = 0.5, variance,... completely predictable, repeatable white noise : flat frequency spectrum must be very efficient (multiply, add) random numbers for picking keys: unpredictable by outside observer two processes at the same time different number use audio, video efficiency not very important

5 5 The Birthday Problem (Approximate) two people with same birthday in room n inputs (humans) k = 365 possible outputs (birthdays) n (n 1)=2 pairs of inputs check for each pair: 1=k of both humans having same birthday k=2 pairs for 50% matching probability n ß p k for 50% chance warning: simplified, does not hold for large n! or: Example: n =23 p alldifferent =0:31 p same = n(n 1) 1 k 2

6 6 Birthday Problem, Correct compute probability of different birthdays no sample twice sampling without replacement sampling with replacement random sample of n people (birthdays) taken from k (365 days) k n samples with replacement (k) n = k(k 1) (k n +1)samples without replacement

7 7 Birthday Problem, Correct probability of no repetition: = n k(k (k 1) n +1) p (k) ß 1 = n k n k 1) n(n 2k = n 365 ( n +1) p (365) = n = n ::: n +1 1 = Example: n =23 p =0:43 365

8 8 How Many Bits for Hash? m bits, takes 2 m=2 to find two with the same hash 64 bits 2 32 messages to search note: different from picking h and finding m Example: Alice (secretary: Bob) wants to fire Fred Bob is Fred s friend Bob composes two messages (same hash), one to be read, the other sent generate lots of similar messages: 2 choices of wording in 32 places 2 32 messages

9 9 Hash Functions RFC: name inventor docs entity hash sub-stages MD2 Ron Rivest RFC 1319 bytes MD4 Ron Rivest RFC bit MD5 Ron Rivest RFC bit SHS NIST 32-bit 160

10 ψ MD(K AB jr A ) ψ r B 10 Authentication Alice Bob r A! MD(K AB jr B )! only need to compare result, not decrypt

11 MIC: MD(K AB jm 1 ) 11 Computing a MIC with a Hash can t just compute MD(m) but: Trudy can get MIC of m 2,givenm bit blocks, append (message length, pad) allow to concatenate padding, plus additional message put secret at end of message or: use only half the bits of MD can t continue message

12 b 2 = MD(K AB jb 1 ) 12 Encryption: One-Time Pad b 1 = MD(K AB jiv) b i = MD(K AB jb i 1 ) then: b used as one-time pad can t use same OTP twice use IV any OTP has privacy only: if plaintext known, can encrypt anything separate integrity function

13 break message into MD-length chunks p i b 1 = MD(K AB jiv ) c 1 = p 1 Φ b 1 b i = MD(K AB jc i 1 ) c i = p i Φ b i 13 Encryption: Mixing in the Plaintext similar to cipher feedback mode (CFB) 2 = MD(K AB jc 1 ) c 2 = p 2 Φ b 2 b..

14 14 Using Secret Key for a Hash Unix password algorithm: compute hash of user password, compare to hash of password typed first 8 bytes of password! secret key encrypt 0 with DES-like algorithm salt: 12-bit random number determines bits to duplicate in mangler when expanding 32 to 48 bits salt stored with hashed result

15 15 Hashing Large Messages Using Encryption key length k, block length b divide message into k-bit chunks m 1 ;m 2 ;::: first, encrypt a constant with m 1 as key encrypt output with m 2 as key output b(= 64) too short generate 2nd 64-bit quantity by reversing chunk order or: use different initial constants

16 Hashing Large Messages 16

17 17 IV IV m1 + m1 E K E m2 E m2 +

18 18 MD2 128-bit message digest arbitrary number of bytes pad to multiple of 16 bytes append MD2 checksum to end process whole message

19 c n := ß(m nk Φ c n 1 ) Φ c n 19 MD2 Checksum m nk : byte nk of message ß: 0! 41; 1! 46;::: supposedly based on ß

20 c n = c n Φ ß(c n 1 ) for n =0;:::;47; c 1 =0 20 MD2 Final Pass operate on 16-byte chunks 48-byte quantity q: (current digest j chunk j digest Φ chunk) 18 passes over q c 1 =(c 47 + pass #) mod 256 after pass 17, use first 16 bytes as new digest minimal storage: checksum, 48 bytes

21 16 message words m 0 ;m 1 ;:::;m 15 4 message digest words d 0 ;d 1 ;d 2 ;d 3 21 MD4 any number of bits operates on 32-bit quantities pad to multiple of 512 bits (16 32-bit words): ,messagelengthinbits digest = f(512-bit blocks, previous digest or initial constant) 1 stage = three mangling passes d 0 = ;d 1 =89abcdef 16 ;d 2 = fedcba98 16 ;:::

22 x + y: addition mod MD4 Operations bxc ο: bitwise complement x ^ y: bitwise and x _ y: bitwise or x ψ- y: rotate left y bits

23 selection function: F (x; y; z) =(x ^ y) _ (ο x ^ z) if bit x n is 1: pick F n = y n,otherwisez n d 0 = (d 0 + F (d 1 ;d 2 ;d 3 )+m 0 ) ψ- 3 d 1 = (d 3 + F (d 0 ;d 1 ;d 2 )+m 1 ) ψ- 7 d 2 = (d 2 + F (d 3 ;d 0 ;d 1 )+m 2 ) ψ- 11 d 3 = (d 1 + F (d 2 ;d 3 ;d 0 )+m 3 ) ψ- 15 d 0 = (d 0 + F (d 1 ;d 2 ;d 3 )+m 4 ) ψ MD4 Pass 1: Selection d ( i)^3 =(d ( i)^3 + F (d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m i ) ψ- S 1 (i ^ 3) where S 1 (i) =3+4i, 1 10 = ; 2 10 = ;:::

24 constant b2 30p 2c =5a MD4 Pass 2: Majority G(x; y; z) =(x ^ y) _ (x ^ z) _ (y ^ z) G n =1iff 2 out of 3 bits x n ;y n ;z n are 1 d ( i)^3 = (d ( i)^3 + G(d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m X(i) +5a ) where X(i) exchange bits (2,3) with (0,1); S 2 =3; 5; 9; 13; 3;::: ψ- S 2 (i ^ 3) d 0 = (d 0 + G(d 1 ;d 2 ;d 3 )+m 0 +5a ) ψ- 3 d 1 = (d 3 + G(d 0 ;d 1 ;d 2 )+m 4 +5a ) ψ- 5 d 2 = (d 2 + G(d 3 ;d 0 ;d 1 )+m 8 +5a ) ψ- 9 d 3 = (d 1 + G(d 2 ;d 3 ;d 0 )+m 12 +5a ) ψ- 13 d 0 = (d 0 + G(d 1 ;d 2 ;d 3 )+m 1 +5a ) ψ- 3

25 25

26 constant b2 30p 3c =6ed9eba1 16 d 0 = (d 0 + H(d 1 ;d 2 ;d 3 )+m 0 +6ed9eba1 16 ) ψ- 3 d 1 = (d 3 + H(d 0 ;d 1 ;d 2 )+m 4 +6ed9eba1 16 ) ψ- 9 d 2 = (d 2 + H(d 3 ;d 0 ;d 1 )+m 8 +6ed9eba1 16 ) ψ- 11 d 3 = (d 1 + H(d 2 ;d 3 ;d 0 )+m 12 +6ed9eba1 16 ) ψ- 15 d 0 = (d 0 + H(d 1 ;d 2 ;d 3 )+m 2 +6ed9eba1 16 ) ψ MD4 Pass 3: Ex-Or H(x; y; z) =x Φ y Φ z d ( i)^3 = (d ( i)^3 + H(d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m R(i) +6ed9eba1 16 ) where R(i) Reverses bits in i; S 3 =3; 9; 11; 15 ψ- S 3 (i ^ 3)

27 27 MD5 MD4, MD5: same message padding, blocking, initial d i MD4: 3 passes MD5: 4 passes different functions, different shifts MD4: two constants for all m i MD5: different T i = b2 32 j sin ijc

28 d ( i)^3 = (d ( i)^3 + F (d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m i + T i+1 ) d 0 = (d 0 + F (d 1 ;d 2 ;d 3 )+m 0 + T 1 ) ψ- 7 d 1 = (d 3 + F (d 0 ;d 1 ;d 2 )+m 1 + T 2 ) ψ- 12 d 2 = (d 2 + F (d 3 ;d 0 ;d 1 )+m 2 + T 3 ) ψ- 17 d 3 = (d 1 + F (d 2 ;d 3 ;d 0 )+m 3 + T 4 ) ψ- 22 d 0 = (d 0 + F (d 1 ;d 2 ;d 3 )+m 4 + T 5 ) ψ MD5 Pass 1: Selection where S 1 =7+5i: ψ- S 1 (i ^ 3)

29 G(x; y; z) =(x ^ z) _ (y^ οz) d 0 = (d 0 + G(d 1 ;d 2 ;d 3 )+m 1 + T 17 ) ψ- 5 d 1 = (d 3 + G(d 0 ;d 1 ;d 2 )+m 6 + T 18 ) ψ- 9 d 2 = (d 2 + G(d 3 ;d 0 ;d 1 )+m 11 + T 19 ) ψ- 14 d 3 = (d 1 + G(d 2 ;d 3 ;d 0 )+m 0 + T 20 ) ψ- 20 d 0 = (d 0 + G(d 1 ;d 2 ;d 3 )+m 5 + T 21 ) ψ MD5 Pass 2: Selection Selection function: d ( i)^3 = (d ( i)^3 + F (d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m (5i+1)^15 + T i+17 ) ψ- S 2 (i ^ 3) where S 2 (i) =i(i +7)=2 +5:

30 d ( i)^3 = (d ( i)^3 + H(d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m (3i+5)^15 )+T i+33 ) d 0 = (d 0 + H(d 1 ;d 2 ;d 3 )+m 5 + T 33 ) ψ- 4 d 1 = (d 3 + H(d 0 ;d 1 ;d 2 )+m 8 + T 34 ) ψ- 11 d 2 = (d 2 + H(d 3 ;d 0 ;d 1 )+m 11 + T 35 ) ψ- 16 d 3 = (d 1 + H(d 2 ;d 3 ;d 0 )+m 14 + T 36 ) ψ- 23 d 0 = (d 0 + H(d 1 ;d 2 ;d 3 )+m 1 + T 37 ) ψ MD5 Pass 3: Ex-Or H(x; y; z) =x Φ y Φ z as in MD4 where S 3 (i) =4; 11; 16; 23; 4;::: ψ- S 3 (i ^ 3)

31 I(x; y; z) =y Φ (x_ οz) d ( i)^3 = (d ( i)^3 + I(d (1 i)^3 ;d (2 i)^3 ;d (3 i)^3 )+m (7i)^15 + T i+49 ) d 0 = (d 0 + I(d 1 ;d 2 ;d 3 )+m 0 + T 49 ) ψ- 6 d 1 = (d 3 + I(d 0 ;d 1 ;d 2 )+m 7 + T 50 ) ψ- 10 d 2 = (d 2 + I(d 3 ;d 0 ;d 1 )+m 14 + T 51 ) ψ- 15 d 3 = (d 1 + I(d 2 ;d 3 ;d 0 )+m 5 + T 52 ) ψ- 21 d 0 = (d 0 + I(d 1 ;d 2 ;d 3 )+m 12 + T 53 ) ψ MD5 Pass 4: Ex-or where S 4 (i) =6; 10; 15; 21; 6;::: ψ- S 4 (i ^ 3)

32 A = B = efcdab89 16 C = 98badcfe 16 D = E = c3d2e1f Secure Hash Standard (SHS) 64 bits! 160 bits similar to MD5 5 passes 5 32-bit digest words digest AjBjCjDjE:

33 A 0 = E +(A ψ- 5) + W t + K t + f(t; B; C; D) C 0 = B ψ- 30 K t = b2 30p xc, wherex = f2; 3; 5; 10g[t=20] 33 SHS start with 512-bit block fill 4 more blocks with recursion bit words: word W n = W n 3 Φ W n 8 Φ W n 14 Φ W n 16 ψ- 1 modify digest: B 0 = A D 0 = C E 0 = D

34 f(t; B; C; D) = (B ^ C) _ (ο B ^ D) for 0» t» 19 f(t; B; C; D) = B Φ C Φ D for 20» t» 39 f(t; B; C; D) = (B ^ C) _ (B ^ D) _ (C ^ D) for 40» t» 59 f(t; B; C; D) = B Φ C Φ D for 60» t» SHS Function f():