Week 12: Hash Functions and MAC

Transcription

1 Week 12: Hash Functions and MAC

2 1. Introduction Hash Functions vs. MAC 2

3 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved. Must be at least One-way to be useful. Applications Keyed hash: MAC/ICV generation. Unkeyed hash: digital signature, password file, key stream / pseudo-random number generator, etc. Constructions Iterated hash functions (MD4-family hash functions): MD5, SHA-1, SHA-2, HAVAL, HAS160, etc. Hash functions based on block ciphers: MDC(Manipulation Detection Code) H Short Message Digest or Fingerprint D = H(M) 3

4 Message Authentication Code (MAC) MAC Generate a fixed length MAC for an arbitrary length message A keyed hash function Message origin authentication Message integrity Entity authentication Shared Secret Key Constructions Keyed hash: HMAC Block cipher: CBC-MAC MAC MAC MAC 4

5 Comparison of Hash Function & MAC Arbitrary length message Arbitrary length message Hash function Secret key MAC function Hash fixed length MAC fixed length Easy to compute Compression: arbitrary length input to fixed length output Unkeyed function vs. Keyed function 5

6 Message Authentication using MAC Alice Bob Message MAC transmit Message MAC K AB Shared Secret key between Alice and Bob Secret key algorithm K AB Shared Secret key between Alice and Bob Secret key algorithm MAC no? yes 6

7 Digital Signature with Hash Function Signer Verifier Message Signature Message transmit Signature Hash function Hash function Hashing Hashing Signer s Private key Public key algorithm no? yes Public key algorithm Signer s Public key 7

8 MAC and Digital Signature (Summary) MAC (Message Authentication Code) Generated and verified by a secret key algorithm Message origin authentication & Message integrity Schemes Keyed hash: HMAC Block cipher: CBC-MAC, Digital Signature Generated and verified by a public key algorithm and a hash function Message origin authentication & Message integrity Non-repudiation Schemes Hash + Digital signature algorithm RSA-PSS, DSA, etc. 8

9 2. Hash Functions 9

10 Hash Functions Requirements Efficient Computation Security Properties Preimage resistance (One-wayness) : Given y, it is computationally infeasible to find any input x such that y = h(x) 2nd preimage resistance (Weak collision resistance) : Given x, it is computationally infeasible to find another input x x such that h(x) = h(x ) Collision resistance (Strong collision resistance) : It is computationally infeasible to find any two distinct inputs x and x such that h(x) = h(x ) 10

11 BFA on OW Hash Function (Preimage Attack) Given y, find m such that h(m) = y m i for i = 1, 2,... 2 n h( ) Arbitrary message, m i or m j of the same meaning? h(m i ) n bits h(m i ) = y? 11

12 Multiple Messages with Meaning Same I state thereby that I borrowed $10,000 from confirm received ten thousand dollars Mr. Kris Gaj on October 15, This money Dr. Krzysztof 15 October amount of money should be returned to Mr. Gaj by November 30, is required to given back Dr. 30 November 11 different positions of similar expressions 2 11 different messages of the same meaning 12

13 Collision in Collision-Resistant Hash Function Find any two distinct messages m, m such that h(m) = h(m ). m i for i = 1, 2,... 2 m m i h h h(m i ) n bits How large m should be required to get a match? h(m i ) n bits 13

14 Birthday Paradox How many students there must be in a class for there be a greater than 50% chance that 1. One of the students shares the teacher s birthday? (complexity breaking one-wayness) 365/ Any two of the students share the same birthday? (complexity breaking collision resistance) (365-k+1) / 365 k > 0.5 k 23 In general, the probability of a match being found when k samples are randomly selected between 1 and n equals n! 1 1 e k ( n k)! n k( k 1) 2n 14

15 One Million $ Hardware Brute Force Attack One-Way Hash Functions (complexity = 2 n ) n = 64 n = 80 n = 128 Year days 718 years years Collision-Resistant Hash Functions (complexity = 2 n/2 ) n = 128 n = 160 n = 256 Year days 718 years years 15

16 Construction of Hash Function (1/2) Message m length Padding & length encoding M 1 M 2 M 3 M t 1 2 t-1 b b b b IV=H 0 n f n H f n H f n n... n f H H t Legend: IV : Initial Value H i : i-th Chaining variable M i : i-th input block f : Compression function g : Output transformation (optional) t : Number of input blocks b : Block size in bits n : Hash code size in bits g h(m) 16

17 Construction of Hash Function b M i (2/2) Compression Function (fixed-size hash function) n f n H i H i-1 Entire hash H 0 = IV H i = f (H i-1, M i ) for 1 i t H(m) = g(h t ) Fact(by Merkle-Damgård) MD-strengthening. Any collision-resistant compression function f can be extended to a collision-resistant hash function h 17

18 Typical Padding Assume Block size = 512 bits (MD5, SHA-1, RMD160, HAS160 ) Last 512-bit block Message m length Let r = m mod 512 If 512-r > 64 padding = 512-(r+64) bits 64 bit integer (bit-length of message m) else padding = 512-r+448 bits (two padding blocks) 18

19 Hash Function Family Dedicated (Customized) Based on block ciphers Based on Modular Arith. Broken Broken MD2 MD4 MDC-1 MDC-2 MDC-4 MASH-1 Broken MD5 Broken Weakness discovered SHA-0 SHA-1 RIPEMD-128 RIPEMD-160 Reduced round Version broken HAS-160 SHA-2 19

20 SHA (Secure Hash Algorithm) (1/2) SHA was designed by NIST (National Institute of Standards and Technology) & NSA (National Security Agency) US standard for use with DSA signature scheme The algorithm is SHA and the standard is SHS. Based on the design of MD4 and MD5 by SHA-0: FIPS PUB 180, 1993 SHA-1: FIPS Pub 180-1, 1995 bitwise rotation of message schedule of SHA-0 changed widely-used security applications and protocols such as TLS and SSL, PGP, SSH, S/MIME, and IPsec SHA-2: FIPS Pub 180-2, 2001 SHA-224, SHA-256, SHA-384, and SHA-512 Not so popular as SHA-1 20

21 SHA (Secure Hash Algorithm) (2/2) Algorithm and variant Output size (bits). Internal state siz e (bits) Block size (bits) Max message siz e (bits) Word size (bits ) Rounds Operation Collision s Found SHA SHA ,and,or, xor,rot +,and,or, xor,rot Yes Yes 2 52 attack (*) SHA-2 56/ / ,and,or, xor,shr,rot None SHA-2 SHA-5 12/ / ,and,or, xor,shr,rot None (*) Cameron McDonald, Philip Hawkes and Josef Pieprzyk, SHA-1 collisions now 2^52, Eurocrypt 2009 Rump session, 837a0a8086fa6ca ddfae43d.pdf. 21

22 SHA-1 Overview Y q CV q A B C D E round 0 f 1, ABCDE, Y q, K 0, w 0 A B C D E round 1 f 2, ABCDE, Y q, K 1, w 1 A B C D E round 79 f 80, ABCDE, Y q, K 79, w CV q

23 SHA-1 Round Function A B C D E Input buffer f t Boolean function CLS 5 CLS30 Cyclic left shift W t K t From message Constants A B C D E Output buffer 23

24 SHA-1 Constants & Boolean Functions Initial values A = B = E F C D A B 8 9 C = 9 8 B A D C F E D = E = C 3 D 2 E 1 F 0 Constants K t t = 0 ~ 19 K t = 5 A t = 20 ~ 39 K t = 6 E D 9 E B A 1 t = 40 ~ 59 K t = 8 F 1 B B C D C t = 60 ~ 79 K t = C A 6 2 C 1 D 6 Boolean function f t t = 0 ~ 19 t = 20 ~ 39 t = 40 ~ 59 t = 60 ~ 79 f t (B, C, D) = B C + B D f t (B, C, D) = B C D f t (B, C, D) = B C + B D + C D f t (B, C, D) = B C D 24

25 SHA-1 Message Inputs 512-bit w 2 w 8 w t 14 w t 8 w 65 w 71 Y q w 0 w 13 w t 16 w t 3 w 63 w 76 w 0 32 w CLS 1 CLS 1 CLS 1 w 15 w 16 w t w 79 CLS: Cyclic Left Shift 25

26 Step Operations of MD5 & SHA-1 D C B A A B C D E f r + f r + + M i <<5 + + K r + M i <<s i + <<30 + K r D C B A Little endian A B C D E Big endian 26

27 Step Operations of SHA1 & HAS160 A B C D E E D C B A f r + + f r <<5 + + <<s i + M i M i + <<30 + K r K r + <<s r <<s r A B C D E E D C B A

28 Comparison Hash Func. MD5 SHA1 RMD160 HAS160 Digest size(bits) Block size(bits) No of steps 64(4x16) 80(4x20) 160(5x2x16) 80(4x20) Boolean func. 4 4(3) 5 4(3) Constants Endianness Little Big Little Little Speed ratio

29 Hash Ft based on Block Ciphers : MDC1 Matyas-Meyer-Oseas Scheme H i-1 M i block size block size Compression function f g: a function mapping an input H i to a key suitable for E, might be the identity function g E H i block size Provably Secure under an appropriate blackbox model But produces too short hash codes for use in most applications 29

30 Hash Ft based on Block Ciphers : MDC2 M i H i-1 g E E g H i-1 A B C D A D C B Compression function f H i H i 30

31 Collision1.bin Ex. of MD5 Collisions Collision2.bin Same MD5 Hashed Value!! 31

32 MD5 Collision Attacks Colliding valid X.509 certificates Lenstra, Wang, Weger, forged X.509 certificates, Same owner with different public keys (2048 bits) Stevens, Lenstra, Weger, Eurocrypt bit public key (8-block collision) Stevens etc. Crypto 2009 Pass the browser authentication, different owners, different public keys (See next) 32

33 X.509v3 Real and Fake Certificates using MD-5 S1 Serial number A CA name Validity period A Domain name A chosen prefix (different) Serial number B CA name Validity period B Domain name B Rogue RSA key Rogue X.509 extensions S1 S2 S3 A1 A2 A3 RSA key X.509 extensions valid CA signature collision bits (computed) birthday block + near collision blocks identical bytes (copied from Real cert) Netscape Comment Extension* X.509 extensions valid CA signature S2 S3 * contents ignored by browsers 33

34 SHA-3 Project 34