CPSC 467: Cryptography and Computer Security

Similar documents
CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Cryptographic Hash Functions

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Week 12: Hash Functions and MAC

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Attacks on hash functions. Birthday attacks and Multicollisions

Notes for Lecture 9. 1 Combining Encryption and Authentication

Lecture 14: Cryptographic Hash Functions

Introduction to Information Security

Beyond the MD5 Collisions

Asymmetric Encryption

Foundations of Network and Computer Security

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Avoiding collisions Cryptographic hash functions. Table of contents

Foundations of Network and Computer Security

Further progress in hashing cryptanalysis

CPSC 467: Cryptography and Computer Security

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Weaknesses in the HAS-V Compression Function

New Attacks on the Concatenation and XOR Hash Combiners

Cryptographic Hash Functions Part II

Authentication. Chapter Message Authentication

Lecture 1: Introduction to Public key cryptography

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

1 Cryptographic hash functions

1 Cryptographic hash functions

CPSC 467b: Cryptography and Computer Security

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Public-key Cryptography: Theory and Practice

Introduction Description of MD5. Message Modification Generate Messages Summary

Improved Collision Attack on MD5

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

CPSC 467: Cryptography and Computer Security

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

Breaking H 2 -MAC Using Birthday Paradox

Network Security: Hashes

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Introduction to Cryptography Lecture 4

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

SMASH - A Cryptographic Hash Function

Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000

Leftovers from Lecture 3

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Introduction to Cryptography

12 Hash Functions Defining Security

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration

CPSC 467: Cryptography and Computer Security

Solution of Exercise Sheet 7

Algorithmic Number Theory and Public-key Cryptography

On the Big Gap Between p and q in DSA

Avoiding collisions Cryptographic hash functions. Table of contents

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Digital signature schemes

On High-Rate Cryptographic Compression Functions

Information Security

Cryptographic Hashing

Lecture 10 - MAC s continued, hash & MAC

10 Concrete candidates for public key crypto

Why not SHA-3? A glimpse at the heart of hash functions.

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Lecture 1. Crypto Background

CPSC 467b: Cryptography and Computer Security

A Pseudo-Random Encryption Mode

CPSC 467b: Cryptography and Computer Security

Analysis of SHA-1 in Encryption Mode

The Security of Abreast-DM in the Ideal Cipher Model

Symmetric Crypto Systems

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Chapter 8 Public-key Cryptography and Digital Signatures

Attacks on hash functions: Cat 5 storm or a drizzle?

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

An introduction to Hash functions

Preimages for Step-Reduced SHA-2

A (Second) Preimage Attack on the GOST Hash Function

HASH FUNCTIONS 1 /62

Symmetric Crypto Systems

Lecture 4: DES and block ciphers

Hash Function Balance and its Impact on Birthday Attacks

SOME OBSERVATIONS ON THE CRYPTOGRAPHIC HASH FUNCTIONS

Public Key Algorithms

Improved Collision Search for SHA-0

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

DTTF/NB479: Dszquphsbqiz Day 27

SMASH - A Cryptographic Hash Function

Transcription:

CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37

Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New Hash Functions from Old Extending a hash function A general chaining method Hash functions do not always look random CPSC 467, Lecture 15 2/37

Common Hash Functions CPSC 467, Lecture 15 3/37

Popular hash functions Many cryptographic hash functions are currently in use. For example, the openssl library includes implementations of MD2, MD4, MD5, MDC2, RIPEMD, SHA, SHA-1, SHA-256, SHA-384, and SHA-512. The SHA-xxx methods (otherwise known as SHA-2) are recommended for new applications, but these other functions are also in widespread use. CPSC 467, Lecture 15 4/37

SHA-2 SHA-2 SHA-2 is a family of hash algorithms designed by NSA known as SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. They produce message digests of lengths 224, 256, 384, or 512 bits. They comprise the current Secure Hash Standard (SHS) and are described in FIPS 180 4. It states, Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits). CPSC 467, Lecture 15 5/37

SHA-2 SHA-1 broken SHA-1 was first described in 1995. It produces a 160-bit message digest. It was broken in 2005 by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu: Finding Collisions in the Full SHA-1. CRYPTO 2005: 17-36. Wang and Yu did their work at Shandong University; Yin is listed on the paper as an independent security consultant in Greenwich, CT. CPSC 467, Lecture 15 6/37

SHA-2 SHA-1 still in use SHA-1 is still in widespread use despite its known vulnerabilities. Google is taking steps in its Chrome browser to alert users to web sites still using SHA-1 based certificates. See Gradually sunsetting SHA-1. CPSC 467, Lecture 15 7/37

SHA-2 A new secure hash algorithm On Nov. 2, 2007, NIST announced a public competition for a replacement algorithm to be known as SHA-3. The winner, an algorithm named Keccak, was announced on October 2, 2012. It is currently in the process of standardization. 1 1 See http://csrc.nist.gov/publications/drafts/fips-202/fips 202 draft.pdf. CPSC 467, Lecture 15 8/37

MD5 MD5 MD5 is an older algorithm (1992) devised by Rivest. Weaknesses were found as early as 1996. It was shown not to be collision resistant in 2004. 2 Subsequent papers show that MD5 has more serious weaknesses that make it no longer suitable for most cryptographic uses. We present an overview of MD5 here because it is relatively simple and it illustrates the principles used in many hash algorithms. 2 How to Break MD5 and Other Hash Functions by Xiaoyun Wang and Hongbo Yu. CPSC 467, Lecture 15 9/37

MD5 MD5 algorithm overview MD5 generates a 128-bit message digest from an input message of any length. It is built from a basic block function g : 128-bit 512-bit 128-bit. The MD5 hash function h is obtained as follows: The original message is padded to length a multiple of 512. The result m is split into a sequence of 512-bit blocks m 1, m 2,..., m k. h is computed by chaining g on the first argument. We next look at these steps in greater detail. CPSC 467, Lecture 15 10/37

MD5 MD5 padding As with block encryption, it is important that the padding function be one-to-one, but for a different reason. For encryption, the one-to-one property is what allows unique decryption. For a hash function, it prevents there from being trivial colliding pairs. For example, if the last partial block is simply padded with 0 s, then all prefixes of the last message block will become the same after padding and will therefore collide with each other. CPSC 467, Lecture 15 11/37

MD5 MD5 chaining The function h can be regarded as a state machine, where the states are 128-bit strings and the inputs to the machine are 512-bit blocks. The machine starts in state s 0, specified by an initialization vector IV. Each input block m i takes the machine from state s i 1 to new state s i = g(s i 1, m i ). The last state s k is the output of h, that is, h(m 1 m 2... m k 1 m k ) = g(g(... g(g(iv, m 1 ), m 2 )..., m k 1 ), m k ). CPSC 467, Lecture 15 12/37

MD5 MD5 block function The block function g(s, b) is built from a scrambling function g (s, b) that regards s and b as sequences of 32-bit words and returns four 32-bit words as its result. Suppose s = s 1 s 2 s 3 s 4 and g (s, b) = s 1 s 2 s 3 s 4. We define g(s, b) = (s 1 + s 1) (s 2 + s 2) (s 3 + s 3) (s 4 + s 4), where + means addition modulo 2 32 and is concatenation of the representations of integers as 32-bit binary strings. CPSC 467, Lecture 15 13/37

MD5 MD5 scrambling function The computation of the scrambling function g (s, b) consists of 4 stages, each consisting of 16 substages. We divide the 512-bit block b into 32-bit words b 1 b 2... b 16. Each of the 16 substages of stage i uses one of the 32-bit words of b, but the order they are used is defined by a permutation π i that depends on i. In particular, substage j of stage i uses word b l, where l = π i (j) to update the state vector s. The new state is f i,j (s, b l ), where f i,j is a bit-scrambling function that depends on i and j. CPSC 467, Lecture 15 14/37

MD5 Further remarks on MD5 We omit further details of the bit-scrambling functions f i,j, However, note that the state s can be represented by four 32-bit words, so the arguments to f i,j occupy only 5 machine words. These easily fit into the high-speed registers of modern processors. The definitive specification for MD5 is RFC1321 and errata. A general discussion of MD5 along with links to recent work and security issues can be found on Wikipedia. CPSC 467, Lecture 15 15/37

Birthday Attack on Hash Functions CPSC 467, Lecture 15 16/37

Bits of security for hash functions MD5 hash function produces 128-bit values, whereas the SHA-xxx family produces values of 160-bits or more. How many bits do we need for security? Both 128 and 160 are more than large enough to thwart a brute force attack that simply searches randomly for colliding pairs. However, the Birthday Attack reduces the size of the search space to roughly the square root of the original size. MD5 s effective security is at most 64 bits. ( 2 128 = 2 64.) SHA-1 s effective security is at most 80-bits. ( 2 160 = 2 80.) Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu describe an attack that reduces this number to only 69-bits (Crypto 2005). CPSC 467, Lecture 15 17/37

Birthday Paradox The birthday paradox is to find the probability that two people in a set of randomly chosen people have the same birthday. This probability is greater than 50% in any set of at least 23 randomly chosen people. 3. 23 is far less than the 253 people that are needed for the probability to exceed 50% that at least one of them was born on a specific day, say January 1. 3 See Wikipedia, Birthday paradox. CPSC 467, Lecture 15 18/37

Birthday Paradox (cont.) Here s why it works. The probability of not having two people with the same birthday is is q = 365 365 364 365 343 365 = 0.492703 Hence, the probability that (at least) two people have the same birthday is 1 q = 0.507297. This probability grows quite rapidly with the number of people in the room. For example, with 46 people, the probability that two share a birthday is 0.948253. CPSC 467, Lecture 15 19/37

Birthday attack on hash functions The birthday paradox gives a much faster way to find colliding pairs of a hash function than simply choosing pairs at random. Method: Choose a random set of k messages and see if any two messages in the set collide. ( Thus, with only k evaluations of the hash function, we can test k ) 2 = k(k 1)/2 different pairs of messages for collisions. CPSC 467, Lecture 15 20/37

Birthday attack analysis Of course, these ( k 2) pairs are not uniformly distributed, so one needs a birthday-paradox style analysis of the probability that a colliding pair will be found. The general result is that the probability of success is at least 1/2 when k n, where n is the size of the hash value space. CPSC 467, Lecture 15 21/37

Practical difficulties of birthday attack Two problems make this attack difficult to use in practice. 1. One must find duplicates in the list of hash values. This can be done in time O(k log k) by sorting. 2. The list of hash values must be stored and processed. For MD5, k 2 64. To store k 128-bit hash values requires 2 68 bytes 250 exabytes = 250,000 petabytes of storage. To sort would require log 2 (k) = 64 passes over the table, which would process 16 million petabytes of data. CPSC 467, Lecture 15 22/37

A back-of-the-envelope calculation Google was reportedly processing 20 petabytes of data per day in 2008. At this rate, it would take Google more than 800,000 days or nearly 2200 years just to sort the data. This attack is still infeasible for values of k needed to break hash functions. Nevertheless, it is one of the more subtle ways that cryptographic primitives can be compromised. CPSC 467, Lecture 15 23/37

Constructing New Hash Functions from Old CPSC 467, Lecture 15 24/37

Extension Extending a hash function Suppose we are given a strong collision-free hash function h : 256-bits 128-bits. How can we use h to build a strong collision-free hash function We consider several methods. H : 512-bits 128-bits? In the following, M is 512 bits long. We write M = m 1 m 2, where m 1 and m 2 are 256 bits each. CPSC 467, Lecture 15 25/37

Extension Method 1 First idea. Define H(M) = H(m 1 m 2 ) = h(m 1 ) h(m 2 ). Unfortunately, this fails to be either strong or weak collision-free. Let M = m 2 m 1. (M, M ) is always a colliding pair for H except in the special case that m 1 = m 2. Recall that (M, M ) is a colliding pair iff H(M) = H(M ) and M M. CPSC 467, Lecture 15 26/37

Extension Method 2 Second idea. Define H(M) = H(m 1 m 2 ) = h(h(m 1 )h(m 2 )). m 1 and m 2 are suitable arguments for h() since m 1 = m 2 = 256. Also, h(m 1 )h(m 2 ) is a suitable argument for h() since h(m 1 ) = h(m 2 ) = 128. Theorem If h is strong collision-free, then so is H. CPSC 467, Lecture 15 27/37

Extension Correctness proof for Method 2 Assume H has a colliding pair (M = m 1 m 2, M = m 1 m 2 ). Then H(M) = H(M ) but M M. Case 1: h(m 1 ) h(m 1 ) or h(m 2) h(m 2 ). Let u = h(m 1 )h(m 2 ) and u = h(m 1 )h(m 2 ). Then h(u) = H(M) = H(M ) = h(u ), but u u. Hence, (u, u ) is a colliding pair for h. Case 2: h(m 1 ) = h(m 1 ) and h(m 2) = h(m 2 ). Since M M, then m 1 m 1 or m 2 m 2 (or both). Whichever pair is unequal is a colliding pair for h. In each case, we have found a colliding pair for h. Hence, H not strong collision-free h not strong collision-free. Equivalently, h strong collision-free H strong collision-free. CPSC 467, Lecture 15 28/37

Chaining A general chaining method Let h : r-bits t-bits be a hash function, where r t + 2. (In the above example, r = 256 and t = 128.) Define H(m) for m of arbitrary length. Divide m after appropriate padding into blocks m 1 m 2... m k, each of length r t 1. Compute a sequence of t-bit states: Then H(m) = s k. s 1 = h(0 t 0m 1 ) s 2 = h(s 1 1m 2 ). s k = h(s k 1 1m k ). CPSC 467, Lecture 15 29/37

Chaining Chaining construction gives strong collision-free hash Theorem Let h be a strong collision-free hash function. Then the hash function H constructed from h by chaining is also strong collision-free. CPSC 467, Lecture 15 30/37

Chaining Correctness proof Assume H has a colliding pair (m, m ). We find a colliding pair for h. Let m = m 1 m 2... m k give state sequence s 1,..., s k. Let m = m 1 m 2... m k give state sequence s 1,..., s k. Assume without loss of generality that k k. Because m and m collide under H, we have s k = s k. Let r be the largest value for which s k r = s k r. Let i = k r, the index of the first such equal pair s i = s k k+i. We proceed by cases. (continued... ) CPSC 467, Lecture 15 31/37

Chaining Correctness proof (case 1) Case 1: i = 1 and k = k. Then s j = s j for all j = 1,..., k. Because m m, there must be some l such that m l m l. If l = 1, then (0 t 0m 1, 0 t 0m 1 ) is a colliding pair for h. If l > 1, then (s l 1 1m l, s l 1 1m l ) is a colliding pair for h. (continued... ) CPSC 467, Lecture 15 32/37

Chaining Correctness proof (case 2) Case 2: i = 1 and k < k. Let u = k k + 1. Then s 1 = s u. Since u > 1 we have that h(0 t 0m 1 ) = s 1 = s u = h(s u 11m u), so (0 t 0m 1, s u 1 1m u) is a colliding pair for h. Note that this is true even if 0 t = s u 1 and m 1 = m u, a possibility that we have not ruled out. (continued... ) CPSC 467, Lecture 15 33/37

Chaining Correctness proof (case 3) Case 3: i > 1. Then u = k k + i > 1. By choice of i, we have s i = s u, but s i 1 s u 1. Hence, h(s i 1 1m i ) = s i = s u = h(s u 11m u), so (s i 1 1m i, s u 1 1m u) is a colliding pair for h. (continued... ) CPSC 467, Lecture 15 34/37

Chaining Correctness proof (conclusion) In each case, we found a colliding pair for h. The contradicts the assumption that h is strong collision-free. Hence, H is also strong collision-free. CPSC 467, Lecture 15 35/37

Non-random Hash values can look non-random Intuitively, we like to think of h(y) as being random-looking, with no obvious pattern. Indeed, it would seem that obvious patterns and structure in h would provide a means of finding collisions, violating the property of being strong-collision free. But this intuition is faulty, as I now show. CPSC 467, Lecture 15 36/37

Non-random Example of a non-random-looking hash function Suppose h is a strong collision-free hash function. Define H(x) = 0 h(x). If (x, x ) is a colliding pair for H, then (x, x ) is also a colliding pair for h. Thus, H is strong collision-free, despite the fact that the string H(x) always begins with 0. Later on, we will talk about how to make functions that truly do appear to be random (even though they are not). CPSC 467, Lecture 15 37/37

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback