Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1
Outline Hash functions: Definitions Constructions Attacks What to do 2
Outline Hash functions: Definitions Constructions Attacks What to do 3
Functions of Hash Functions Entropy extractors Randomization Cryptography Signatures Authentication 4
Entropy extraction Alice random a g a g G, ord g = p Bob random b g b compute g ab compute g ab shared key = H( g ab ) 5
Enrtopy extraction IP, time, name, MAC address GUID H 6
Randomization Scenario: hash table 3 12 78 40 67 15 7
Cryptography RSA signature: parameters: N = pq, ed = 1 mod φ(n) sign C=H(M) C=M e mod e mod N, N, verify C d C=M d =H(M) mod Nmod N Attack: sign M 1, M 2, obtain C 1, C 2 (C 1 C 2 ) d =H(M =M 1 M 12 )H(M 2 ) 8
Authentication Alice M H K (M) shared K Bob 9
What is a hash function? H: {0,1}* {0,1} n 10
What is a hash function? H k : {0,1}* {0,1} n 11
What is cryptographically strong hash function? Collision resistant: Find x,y, so that H(x)=H(y) Second preimage-resistant: Given: x Find: y, so that H(x)=H(y) One-way: Given: z=h(x) Find: y, so that H(y)=z 12
Collision resistant x y 13
Second preimage-resistant x y 14
One-way x z y 15
Attacks Collision-resistance: - Compute M 1, M 2, so that H(M 1 ) = H(M 2 ) - Sign M 1 - M 2 is signed as well! Second preimage-resistance: - Find signature on M 1 - Compute M 2, so that H(M 1 ) = H(M 2 ) - M 2 is signed too! 16
Birthday paradox 23 17
Theoretical boundaries Collisions Always exist Birthday paradox: 2 n/2 Second preimage One-wayness Dan Simon 98 2 n 2 n 18
Outline Hash functions: Definitions Constructions Attacks What to do 19
Constructions Two main ingredients Fixed compression function Domain extender 20
Compression function 512 bits 160 bits 21
Compression function 512 bits 160 bits 22
Compression function «key» M «message» H Davies-Meyer construction (~1979) 23
Domain extender M 0 M 1 M 2 M 3 IV H 0 H 1 H 2 H 3 Merkle-Damgård construction (1989) 24
Proof? M 0 M 1 M 2 M 3 length IV H 0 H 1 H 2 H 3 H 4 25
Overview of construction M H(M) 26
Overview of construction M 0 M 1 M 2 M 3 length IV H 0 H 1 H 2 H 3 H 4 27
Overview of construction M 28
Overview of construction 29
Black box no more M IV H(M) 30
Outline Hash functions: Definitions Constructions Attacks What to do 31
Authentication MAC: H k (M) = H(k M) k M 1 M 2 M 3 IV H 0 H 1 H 2 H 3 H k (M M 3 ) = C(H k (M), M 3 ) 32
Cascading hash-functions F(M) = G 1 (M) G 2 (M) cascade «If G 1 and G 2 are independent, then finding a collision for F requires finding a collision for both simultaneously (i.e., on the same input), which one could hope would require the product of the efforts to attack them individually.» Handbook of Applied Cryptography 33
Joux attack M 0, N 0 M 1, N 1 M 2, N 2 M 3, N 3 IV H 0 H 1 H 2 H 3 k 2 n/2 effort to find 2 k collisions 34
Joux attack 1. With k 2 n/2 effort, find 2 k collisions for G 1 2. If k = n/2, we may find among them collision M, N for G 2 3. G 1 (M) = G 1 (N) and G 2 (M) = G 2 (N) 35
«Poisoned block» M 0 M 1 M 2, N 2 M 3 IV H 0 H 1 H 2 H 3 36
Attacking Postscript if (R2 (R1 == R1) then print( Dr. Jekyll ) else print( Mr. Hyde ) 37
Lenstra et al.: colliding X.509 X.509 certificate: version, serial number, signature algorithm identifier RSA modulo signature 38
Lenstra et al.: colliding X.509 X.509 certificate: version, serial number, signature algorithm identifier RSA modulo signature N 1 = <collision 1> 24519253 N 2 = <collision 2>24519253 39
Practice (second millennium) name author length # rounds year MD4 Ron Rivest 128 bit 48 rounds 1990 MD5 Ron Rivest 128 bit 64 rounds 1992 SHA0 NSA 160 bit 80 rounds 1993 SHA1 NSA 160 bit 80 rounds 1995 40
Practice (third millennium) name author word (bits) length (bits) rounds year SHA-256 NSA 32 256 64 2002 SHA-384 NSA 64 384 80 2002 SHA-512 NSA 64 512 80 2002 Whirlpool Barreto, Rijmen 512 10 2003 41
Speed In CPU cycles/byte on PIII: MD5 3.7 SHA1 8.3 SHA-256 21 SHA-512 40 Whirlpool 36 42
Attacks on MD4-MD5 hash author type complexity year Dobbertin collision 2 22 1996 MD4 Wang et al. collision 2 8 2005 dan Boer & Bosselaers pseudocollision 2 16 1993 MD5 Dobbertin free-start (chosen IV) 2 34 1996 Wang & Yu collision 2 39 2005 43
Attacks on MD4-MD5 hash author type complexity year Dobbertin collision 2 22 1996 MD4 Wang et al. collision 2 8 2005 dan Boer & Bosselaers pseudocollision 2 16 1993 MD5 Dobbertin free-start (chosen IV) 2 34 1996 Wang & Yu collision 2 39 2005 44
Attack on SHA-0,1 hash author type complexity year Chabaud & Joux collision 2 61 (theory) 1998 Biham & Chen near-collision 2 56 2004 SHA0 Biham et al. collision 2 51 2005 Wang et al. collision 2 39 2005 Biham et al. collision (40 rounds) 2005 SHA1 Wang et al. collision (58 rounds) 2 33 2005 Wang et al. collision 2 63 (theory) 2005 45
Detailed structure of MD4 M 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b c d Round 1 Round 2 Round 3 + + + + 46
Detailed structure of MD4 a b c d + <<<s 0 + <<<s 1 + <<<s 2 F t F t F t F M 0 M 1 M 2 M 47
Introducing differentials M 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b c d Round 1 Round 2 Round 3 + + + + 48
Outline Hash functions: Definitions Constructions Attacks What to do 49
What is safe? Entropy extraction Randomization Cryptography Signatures Authentication 50
Entropy extraction Scenario I: H(g ab ) Scenario II: IP, time, name,... GUID 51
Randomization Pair-wise independent functions (Wegman & Carter): f(x) = ax+b mod N probability f(x 1 )=f(x 2 ) equals 1/N f(x) = a k x k +a k-1 x k-1 + + a 1 x+a 0 mod N 52
Randomization Scenario: hash-table 3 12 78 40 67 15 a, b, c - random H(x) = ax 2 +bx+c mod N 53
Cryptography Authentication Alice M H K (M) shared key K Bob Eve: M 1, H K (M 1 ), M 2, H K (M 2 ) M, H K (M) 54
Cryptography Authentication UMAC John Black, Shai Halevi, Hugo Krawczyk, Ted Krovetz, and Phillip Rogaway, 1999 RFC: under way for long messages ~1.5 cycle/byte 55
Cryptography Signatures theory: target-collision resistance practice: SHA1, SHA256, SHA512, Whirlpool Protocols, constructions?????? 56
Target-collision resistance H k (M) Eve: x Alice k y H k (x)=h k (y) 57
Signing using TCR hashes H k (M) TCR To sing M: 1. Generate k 2. Sign k H k (M) Attack? Find N so that k H k (M) = k H k (N) 58
Questions? 59