ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Similar documents
ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Pseudo-random Number Generation. Qiuliang Tang

Leftovers from Lecture 3

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Introduction to Information Security

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Week 12: Hash Functions and MAC

Foundations of Network and Computer Security

Lecture 10: NMAC, HMAC and Number Theory

Lecture 1: Introduction to Public key cryptography

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Foundations of Network and Computer Security

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Public-key Cryptography: Theory and Practice

Introduction to Cryptography Lecture 4

Lecture 10: NMAC, HMAC and Number Theory

Authentication. Chapter Message Authentication

Introduction to Cybersecurity Cryptography (Part 4)

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Lecture 1. Crypto Background

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 10: HMAC and Number Theory

Notes for Lecture 9. 1 Combining Encryption and Authentication

Foundations of Network and Computer Security

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Exam Security January 19, :30 11:30

CPSC 467: Cryptography and Computer Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

CPSC 467: Cryptography and Computer Security

Asymmetric Encryption

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

5199/IOC5063 Theory of Cryptology, 2014 Fall

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lecture Notes. Advanced Discrete Structures COT S

CPSC 467b: Cryptography and Computer Security

Introduction to Cryptography

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Message Authentication Codes (MACs)

Lecture 14: Cryptographic Hash Functions

1 Number Theory Basics

Public Key Cryptography

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

CPSC 467: Cryptography and Computer Security

Pseudo-Random Generators

Pseudo-Random Generators

Avoiding collisions Cryptographic hash functions. Table of contents

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

An introduction to Hash functions

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Lecture 18: Message Authentication Codes & Digital Signa

Computer Science A Cryptography and Data Security. Claude Crépeau

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

ECS 189A Final Cryptography Spring 2011

CPSC 467: Cryptography and Computer Security

Lecture 10 - MAC s continued, hash & MAC

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Foundations of Network and Computer Security

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

ASYMMETRIC ENCRYPTION

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Introduction to Modern Cryptography. Benny Chor

Attacks on hash functions. Birthday attacks and Multicollisions

Attacks on hash functions: Cat 5 storm or a drizzle?

Message Authentication. Adam O Neill Based on

Cryptographic Hash Functions

Network Security: Hashes

Cryptographic Hash Functions Part II

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

A new message authentication code based on the non-associativity of quasigroups. Kristen Ann Meyer. A dissertation submitted to the graduate faculty

Public Key Algorithms

Lecture 22: RSA Encryption. RSA Encryption

Cryptography and Security Midterm Exam

Introduction to Cryptography. Lecture 8

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Benes and Butterfly schemes revisited

Question: Total Points: Score:

Message Authentication Codes (MACs) and Hashes

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000

Breaking H 2 -MAC Using Birthday Paradox

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

1 Cryptographic hash functions

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

12 Hash Functions Defining Security

CPSC 467: Cryptography and Computer Security

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

RSA RSA public key cryptosystem

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

Algorithmic Number Theory and Public-key Cryptography

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

1 Cryptographic hash functions

Introduction to Modern Cryptography Lecture 5

Transcription:

ENEE 459-C Computer Security Message authentication (continue from previous lecture)

Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic hash function (attack?)

Find collisions for crypto-hashes? The brute-force birthday attack aims at finding a collision for a cryptographic function h Randomly generate a sequence of plaintexts X 1, X 2, X 3, For each X i compute y i = h(x i ) and test whether y i = y j for some j < i Stop as soon as a collision has been found If there are m possible hash values, the probability that the i-th plaintext does not collide with any of the previous i -1 plaintexts is 1 - (i - 1)/m The probability F k that the attack fails (no collisions) after k plaintexts is F k = (1-1/m) (1-2/m) (1-3/m) (1 - (k - 1)/m) Using the standard approximation 1 - x e -x F k e -(1/m + 2/m + 3/m + + (k-1)/m) = e -k(k-1)/2m The attack succeeds with probability p when F k = 1 p, that is, For p=1/2 e -k(k-1)/2m = 1 p k 1.17 m ½ For m = 365, p=1/2, k is around 24

Birthday attack

Applications: Online Bid Example Suppose Alice, Bob, Charlie are bidders Alice plans to bid A, Bob B and Charlie C They do not trust that bids will be secret Nobody willing to submit their bid Solution? Alice, Bob, Charlie submit hashes h(a),h(b),h(c) All hashes received and posted online Then bids A, B and C revealed Hashes do not reveal bids (which property?) Cannot change bid after hash sent (which property?)

Online Bid This protocol is not secure! A forward search attack is possible Bob computes h(a) for likely bids A How to prevent this? Alice computes h(a,r), R is random Then Alice must reveal A and R Bob cannot try all A and R

Applications: Securing storage Bob has files f1,f2,,fn Bob sends to Amazon S3 the hashes h(r f1),h(r f2),,h(r fn) The files f1,f2,,fn Bob stores randomness r (and keeps it secret) Every time Bob reads a file f1, he also reads h(r fi) and verifies Any problems with writes?

Well Known Hash Functions MD5 output 128 bits collision resistance completely broken by researchers in China in 2004 SHA1 output 160 bits considered insecure for collision resistance SHA2 (SHA-224, SHA-256, SHA-384, SHA-512) outputs 224, 256, 384, and 512 bits, respectively No real security concerns yet SHA3 Recently proposed Not meant to replace SHA2

Merkle-Damgard Construction for Hash Functions Message is divided into fixed-size blocks and padded Uses a compression function f, which takes a chaining variable (of size of hash output) and a message block, and outputs the next chaining variable Final chaining variable is the hash value

Merkle s meta-method any collision resistant compression function f can be extended to a CRHF Merkle s meta-method provides an efficient way to construct CRHF from f n bit output, r bit chain variable collision for h would imply collision for f for some stage i

Message-Digest Algorithm 5 (MD5) Developed by Ron Rivest in 1991 Uses 128-bit hash values Still widely used in legacy applications although considered insecure Various severe vulnerabilities discovered Collisions found by Marc Stevens, Arjen Lenstra and Benne de Weger

SHA-2 overview

SHA-2 internals

Limitation of Using Hash Functions for Authentication Require an authentic channel to transmit the hash of a message Without such a channel, it is insecure, because anyone can compute the hash value of any message, as the hash function is public Such a channel may not always exist How to address this? use more than one hash functions use a key to select which one to use

Hash Family A hash family is a four-tuple (X,Y,K,H ), where X is a set of possible messages Y is a finite set of possible message digests K is the keyspace For each K K, there is a hash function h K H. Each h K : X Y Alternatively, one can think of H as a function K X Y

Message Authentication Code A MAC scheme is a hash family, used for message authentication MAC(K,M) = H K (M) The sender and the receiver share secret K The sender sends (M, H k (M)) The receiver receives (X,Y) and verifies that H K (X)=Y, if so, then accepts the message as from the sender To be secure, an adversary shouldn t be able to come up with (X,Y ) such that H K (X )=Y.

Security Requirements for MAC Resist the Existential Forgery under Chosen Plaintext Attack Challenger chooses a random key K Adversary chooses a number of messages M 1, M 2,.., M n, and obtains t j =MAC(K,M j ) for 1 j n Adversary outputs M and t Adversary wins if j M M j, and t =MAC(K,M )

Constructing MAC from Hash Functions Let h be a one-way hash function MAC(K,M) = h(k M), where denote concatenation Insecure as MAC Because of the Merkle-Damgard construction for hash functions, given M and t=h(k M), adversary can compute M =M and t, such that h(k M ) = t

HMAC: Constructing MAC from Cryptographic Hash Functions HMAC K [M] = Hash[(K + opad) Hash[(K + ipad) M)]] K + is the key padded (with 0) to B bytes, the input block size of the hash function ipad = the byte 0x36 repeated B times opad = the byte 0x5C repeated B times. At high level, HMAC K [M] = H(K H(K M))

HMAC Security If used with a secure hash functions (e.g., SHA-256) and according to the specification (key size, and use correct output), no known practical attacks against HMAC

Randomness is important! The keystream in the one-time pad The secret key used in ciphers The initialization vectors (IVs) used in ciphers

Pseudo-random Number Generator Pseudo-random number generator: A polynomial-time computable function f (x) that expands a short random string x into a long string f (x) that appears random Not truly random in that: Deterministic algorithm Dependent on initial values Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin. John von Neumann Objectives Fast Secure

Pseudo-random Number Generator Classical PRNGs Linear Congruential Generator Cryptographically Secure PRNGs Blum-Micali Generator

Linear Congruential Generator - Algorithm Based on the linear recurrence: x i = a x i-1 + b mod m i 1 Where x 0 is the seed or start value a is the multiplier b is the increment m is the modulus Output (x 1, x 2,, x k ) y i = x i mod 2 Y = (y 1 y 2 y k ) pseudo-random sequence of K bits

Linear Congruential Generator - Example Let x n = 3 x n-1 + 5 mod 31 n 1, and x 0 = 2 3 and 31 are relatively prime, one-to-one (affine cipher) 31 is prime, order is 30 Then we have the 30 residues in a cycle: 2, 11, 7, 26, 21, 6, 23, 12, 10, 4, 17, 25, 18, 28, 27, 24, 15, 19, 0, 5, 20, 3, 14, 16, 22, 9, 1, 8, 29, 30 Pseudo-random sequences of 10 bits when x 0 = 2 01101010001 When x 0 = 3 10001101001

Linear Congruential Generator - Security Fast, but insecure Sensitive to the choice of parameters a, b, and m Serial correlation between successive values Short period, often m=2 32 or m=2 64

Linear Congruential Generator - Application Used commonly in compilers Rand() Not suitable for high-quality randomness applications Not suitable for cryptographic applications Use cryptographically secure pseudo-random number generators

Cryptographically Secure Passing the next-bit test Given the first k bits of a string generated by PRBG, there is no polynomial-time algorithm that can correctly predict the next (k+1) th bit with probability significantly greater than ½ Next-bit unpredictable

Blum-Micali Generator - Concept Discrete logarithm Let p be an odd prime, then (Z p*, ) is a cyclic group with order p-1 Let g be a generator of the group, then <g> = p-1, and for any element a in the group, we have g k = a mod p for some integer k If we know k, it is easy to compute a However, the inverse is hard to compute, that is, if we know a, it is hard to compute k = log g a Example (Z 17*, ) is a cyclic group with order 16, 3 is the generator of the group and 3 16 = 1 mod 17 Let k=4, 3 4 = 13 mod 17, which is easy to compute The inverse: 3 k = 13 mod 17, what is k? what about large p?

Blum-Micali Generator - Algorithm Based on the discrete logarithm one-way function: Let p be an odd prime, then (Z p*, ) is a cyclic group Let g be a generator of the group, then for any element a, we have g k = a mod p for some k Let x 0 be a seed x i = g x i-1 mod p i 1 Output (x 1, x 2,, x k ) y i = 1 if x i (p-1)/2 y i = 0 otherwise Y = (y 1 y 2 y k ) pseudo-random sequence of K bits

Blum-Micali Generator - Security Blum-Micali Generator is provably secure It is difficult to predict the next bit in the sequence given the previous bits, assuming it is difficult to invert the discrete logarithm function (by reduction)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback