Attacks on hash functions: Cat 5 storm or a drizzle?

Transcription

1 Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15,

2 Outline Hash functions: Definitions Constructions Attacks What to do 2

3 Outline Hash functions: Definitions Constructions Attacks What to do 3

4 Functions of Hash Functions Entropy extractors Randomization Cryptography Signatures Authentication 4

5 Entropy extraction Alice random a g a g G, ord g = p Bob random b g b compute g ab compute g ab shared key = H( g ab ) 5

6 Enrtopy extraction IP, time, name, MAC address GUID H 6

7 Randomization Scenario: hash table

8 Cryptography RSA signature: parameters: N = pq, ed = 1 mod φ(n) sign C=H(M) C=M e mod e mod N, N, verify C d C=M d =H(M) mod Nmod N Attack: sign M 1, M 2, obtain C 1, C 2 (C 1 C 2 ) d =H(M =M 1 M 12 )H(M 2 ) 8

9 Authentication Alice M H K (M) shared K Bob 9

10 What is a hash function? H: {0,1}* {0,1} n 10

11 What is a hash function? H k : {0,1}* {0,1} n 11

12 What is cryptographically strong hash function? Collision resistant: Find x,y, so that H(x)=H(y) Second preimage-resistant: Given: x Find: y, so that H(x)=H(y) One-way: Given: z=h(x) Find: y, so that H(y)=z 12

13 Collision resistant x y 13

14 Second preimage-resistant x y 14

15 One-way x z y 15

16 Attacks Collision-resistance: - Compute M 1, M 2, so that H(M 1 ) = H(M 2 ) - Sign M 1 - M 2 is signed as well! Second preimage-resistance: - Find signature on M 1 - Compute M 2, so that H(M 1 ) = H(M 2 ) - M 2 is signed too! 16

17 Birthday paradox 23 17

18 Theoretical boundaries Collisions Always exist Birthday paradox: 2 n/2 Second preimage One-wayness Dan Simon 98 2 n 2 n 18

19 Outline Hash functions: Definitions Constructions Attacks What to do 19

20 Constructions Two main ingredients Fixed compression function Domain extender 20

21 Compression function 512 bits 160 bits 21

22 Compression function 512 bits 160 bits 22

23 Compression function «key» M «message» H Davies-Meyer construction (~1979) 23

24 Domain extender M 0 M 1 M 2 M 3 IV H 0 H 1 H 2 H 3 Merkle-Damgård construction (1989) 24

25 Proof? M 0 M 1 M 2 M 3 length IV H 0 H 1 H 2 H 3 H 4 25

26 Overview of construction M H(M) 26

27 Overview of construction M 0 M 1 M 2 M 3 length IV H 0 H 1 H 2 H 3 H 4 27

28 Overview of construction M 28

29 Overview of construction 29

30 Black box no more M IV H(M) 30

31 Outline Hash functions: Definitions Constructions Attacks What to do 31

32 Authentication MAC: H k (M) = H(k M) k M 1 M 2 M 3 IV H 0 H 1 H 2 H 3 H k (M M 3 ) = C(H k (M), M 3 ) 32

33 Cascading hash-functions F(M) = G 1 (M) G 2 (M) cascade «If G 1 and G 2 are independent, then finding a collision for F requires finding a collision for both simultaneously (i.e., on the same input), which one could hope would require the product of the efforts to attack them individually.» Handbook of Applied Cryptography 33

34 Joux attack M 0, N 0 M 1, N 1 M 2, N 2 M 3, N 3 IV H 0 H 1 H 2 H 3 k 2 n/2 effort to find 2 k collisions 34

35 Joux attack 1. With k 2 n/2 effort, find 2 k collisions for G 1 2. If k = n/2, we may find among them collision M, N for G 2 3. G 1 (M) = G 1 (N) and G 2 (M) = G 2 (N) 35

36 «Poisoned block» M 0 M 1 M 2, N 2 M 3 IV H 0 H 1 H 2 H 3 36

37 Attacking Postscript if (R2 (R1 == R1) then print( Dr. Jekyll ) else print( Mr. Hyde ) 37

38 Lenstra et al.: colliding X.509 X.509 certificate: version, serial number, signature algorithm identifier RSA modulo signature 38

39 Lenstra et al.: colliding X.509 X.509 certificate: version, serial number, signature algorithm identifier RSA modulo signature N 1 = <collision 1> N 2 = <collision 2>

40 Practice (second millennium) name author length # rounds year MD4 Ron Rivest 128 bit 48 rounds 1990 MD5 Ron Rivest 128 bit 64 rounds 1992 SHA0 NSA 160 bit 80 rounds 1993 SHA1 NSA 160 bit 80 rounds

41 Practice (third millennium) name author word (bits) length (bits) rounds year SHA-256 NSA SHA-384 NSA SHA-512 NSA Whirlpool Barreto, Rijmen

42 Speed In CPU cycles/byte on PIII: MD5 3.7 SHA1 8.3 SHA SHA Whirlpool 36 42

43 Attacks on MD4-MD5 hash author type complexity year Dobbertin collision MD4 Wang et al. collision dan Boer & Bosselaers pseudocollision MD5 Dobbertin free-start (chosen IV) Wang & Yu collision

44 Attacks on MD4-MD5 hash author type complexity year Dobbertin collision MD4 Wang et al. collision dan Boer & Bosselaers pseudocollision MD5 Dobbertin free-start (chosen IV) Wang & Yu collision

45 Attack on SHA-0,1 hash author type complexity year Chabaud & Joux collision 2 61 (theory) 1998 Biham & Chen near-collision SHA0 Biham et al. collision Wang et al. collision Biham et al. collision (40 rounds) 2005 SHA1 Wang et al. collision (58 rounds) Wang et al. collision 2 63 (theory)

46 Detailed structure of MD4 M a b c d Round 1 Round 2 Round

47 Detailed structure of MD4 a b c d + <<<s 0 + <<<s 1 + <<<s 2 F t F t F t F M 0 M 1 M 2 M 47

48 Introducing differentials M a b c d Round 1 Round 2 Round

49 Outline Hash functions: Definitions Constructions Attacks What to do 49

50 What is safe? Entropy extraction Randomization Cryptography Signatures Authentication 50

51 Entropy extraction Scenario I: H(g ab ) Scenario II: IP, time, name,... GUID 51

52 Randomization Pair-wise independent functions (Wegman & Carter): f(x) = ax+b mod N probability f(x 1 )=f(x 2 ) equals 1/N f(x) = a k x k +a k-1 x k a 1 x+a 0 mod N 52

53 Randomization Scenario: hash-table a, b, c - random H(x) = ax 2 +bx+c mod N 53

54 Cryptography Authentication Alice M H K (M) shared key K Bob Eve: M 1, H K (M 1 ), M 2, H K (M 2 ) M, H K (M) 54

55 Cryptography Authentication UMAC John Black, Shai Halevi, Hugo Krawczyk, Ted Krovetz, and Phillip Rogaway, 1999 RFC: under way for long messages ~1.5 cycle/byte 55

56 Cryptography Signatures theory: target-collision resistance practice: SHA1, SHA256, SHA512, Whirlpool Protocols, constructions?????? 56

57 Target-collision resistance H k (M) Eve: x Alice k y H k (x)=h k (y) 57

58 Signing using TCR hashes H k (M) TCR To sing M: 1. Generate k 2. Sign k H k (M) Attack? Find N so that k H k (M) = k H k (N) 58

59 Questions? 59