Attacks on hash functions: Cat 5 storm or a drizzle?

Similar documents
2: Iterated Cryptographic Hash Functions

Week 12: Hash Functions and MAC

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Lecture 14: Cryptographic Hash Functions

Crypto Engineering (GBX9SY03) Hash functions

Foundations of Network and Computer Security

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Foundations of Network and Computer Security

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Introduction to Information Security

Introduction Description of MD5. Message Modification Generate Messages Summary

New Attacks on the Concatenation and XOR Hash Combiners

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Cryptographic Hash Functions Part II

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Asymmetric Encryption

Hashes and Message Digests Alex X. Liu & Haipeng Dai

An introduction to Hash functions

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Avoiding collisions Cryptographic hash functions. Table of contents

Message Authentication Codes (MACs)

Leftovers from Lecture 3

A Composition Theorem for Universal One-Way Hash Functions

Notes for Lecture 9. 1 Combining Encryption and Authentication

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Evaluation Report. Security Level of Cryptography SHA-384 and SHA- 512

New Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen

Introduction to Cryptography

CPSC 467: Cryptography and Computer Security

ECS 189A Final Cryptography Spring 2011

Lecture 1. Crypto Background

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Finding good differential patterns for attacks on SHA-1

Public-key Cryptography: Theory and Practice

CPSC 467: Cryptography and Computer Security

Exam Security January 19, :30 11:30

Title of Presentation

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

SMASH - A Cryptographic Hash Function

Cryptographic Hash Functions

SMASH - A Cryptographic Hash Function

Second Preimages for Iterated Hash Functions and their Implications on MACs

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.

2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.

Lecture V : Public Key Cryptography

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

5199/IOC5063 Theory of Cryptology, 2014 Fall

Breaking H 2 -MAC Using Birthday Paradox

Further progress in hashing cryptanalysis

Lecture 1: Introduction to Public key cryptography

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

Chapter 8 Public-key Cryptography and Digital Signatures

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Weaknesses in the HAS-V Compression Function

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Foundations of Network and Computer Security

Thanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

A Study of the MD5 Attacks: Insights and Improvements

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Cryptographical Security in the Quantum Random Oracle Model

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Martin Cochran. August 24, 2008

CPSC 467: Cryptography and Computer Security

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Cryptanalysis of the Hash Functions MD4 and RIPEMD

Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions

Algebraic properties of SHA-3 and notable cryptanalysis results

Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

Some Attacks on Merkle-Damgård Hashes

Attacks on hash functions. Birthday attacks and Multicollisions

Introduction to the Design and. Cryptanalysis of Cryptographic Hash Functions

Introduction to Cryptography Lecture 4

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners

Preimage Attacks on Reduced Tiger and SHA-2

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

A (Second) Preimage Attack on the GOST Hash Function

1 Number Theory Basics

Cryptography Assignment 5

Practical Free-Start Collision Attacks on full SHA-1

Merkle-Damgård Revisited : how to Construct a Hash Function

Question 1. The Chinese University of Hong Kong, Spring 2018

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Lecture 10 - MAC s continued, hash & MAC

Why not SHA-3? A glimpse at the heart of hash functions.

March 19: Zero-Knowledge (cont.) and Signatures

Authentication. Chapter Message Authentication

The Impact of Carries on the Complexity of Collision Attacks on SHA-1

CPSC 467b: Cryptography and Computer Security

Lecture 10: NMAC, HMAC and Number Theory

Avoiding collisions Cryptographic hash functions. Table of contents

Question: Total Points: Score:

Transcription:

Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1

Outline Hash functions: Definitions Constructions Attacks What to do 2

Outline Hash functions: Definitions Constructions Attacks What to do 3

Functions of Hash Functions Entropy extractors Randomization Cryptography Signatures Authentication 4

Entropy extraction Alice random a g a g G, ord g = p Bob random b g b compute g ab compute g ab shared key = H( g ab ) 5

Enrtopy extraction IP, time, name, MAC address GUID H 6

Randomization Scenario: hash table 3 12 78 40 67 15 7

Cryptography RSA signature: parameters: N = pq, ed = 1 mod φ(n) sign C=H(M) C=M e mod e mod N, N, verify C d C=M d =H(M) mod Nmod N Attack: sign M 1, M 2, obtain C 1, C 2 (C 1 C 2 ) d =H(M =M 1 M 12 )H(M 2 ) 8

Authentication Alice M H K (M) shared K Bob 9

What is a hash function? H: {0,1}* {0,1} n 10

What is a hash function? H k : {0,1}* {0,1} n 11

What is cryptographically strong hash function? Collision resistant: Find x,y, so that H(x)=H(y) Second preimage-resistant: Given: x Find: y, so that H(x)=H(y) One-way: Given: z=h(x) Find: y, so that H(y)=z 12

Collision resistant x y 13

Second preimage-resistant x y 14

One-way x z y 15

Attacks Collision-resistance: - Compute M 1, M 2, so that H(M 1 ) = H(M 2 ) - Sign M 1 - M 2 is signed as well! Second preimage-resistance: - Find signature on M 1 - Compute M 2, so that H(M 1 ) = H(M 2 ) - M 2 is signed too! 16

Birthday paradox 23 17

Theoretical boundaries Collisions Always exist Birthday paradox: 2 n/2 Second preimage One-wayness Dan Simon 98 2 n 2 n 18

Outline Hash functions: Definitions Constructions Attacks What to do 19

Constructions Two main ingredients Fixed compression function Domain extender 20

Compression function 512 bits 160 bits 21

Compression function 512 bits 160 bits 22

Compression function «key» M «message» H Davies-Meyer construction (~1979) 23

Domain extender M 0 M 1 M 2 M 3 IV H 0 H 1 H 2 H 3 Merkle-Damgård construction (1989) 24

Proof? M 0 M 1 M 2 M 3 length IV H 0 H 1 H 2 H 3 H 4 25

Overview of construction M H(M) 26

Overview of construction M 0 M 1 M 2 M 3 length IV H 0 H 1 H 2 H 3 H 4 27

Overview of construction M 28

Overview of construction 29

Black box no more M IV H(M) 30

Outline Hash functions: Definitions Constructions Attacks What to do 31

Authentication MAC: H k (M) = H(k M) k M 1 M 2 M 3 IV H 0 H 1 H 2 H 3 H k (M M 3 ) = C(H k (M), M 3 ) 32

Cascading hash-functions F(M) = G 1 (M) G 2 (M) cascade «If G 1 and G 2 are independent, then finding a collision for F requires finding a collision for both simultaneously (i.e., on the same input), which one could hope would require the product of the efforts to attack them individually.» Handbook of Applied Cryptography 33

Joux attack M 0, N 0 M 1, N 1 M 2, N 2 M 3, N 3 IV H 0 H 1 H 2 H 3 k 2 n/2 effort to find 2 k collisions 34

Joux attack 1. With k 2 n/2 effort, find 2 k collisions for G 1 2. If k = n/2, we may find among them collision M, N for G 2 3. G 1 (M) = G 1 (N) and G 2 (M) = G 2 (N) 35

«Poisoned block» M 0 M 1 M 2, N 2 M 3 IV H 0 H 1 H 2 H 3 36

Attacking Postscript if (R2 (R1 == R1) then print( Dr. Jekyll ) else print( Mr. Hyde ) 37

Lenstra et al.: colliding X.509 X.509 certificate: version, serial number, signature algorithm identifier RSA modulo signature 38

Lenstra et al.: colliding X.509 X.509 certificate: version, serial number, signature algorithm identifier RSA modulo signature N 1 = <collision 1> 24519253 N 2 = <collision 2>24519253 39

Practice (second millennium) name author length # rounds year MD4 Ron Rivest 128 bit 48 rounds 1990 MD5 Ron Rivest 128 bit 64 rounds 1992 SHA0 NSA 160 bit 80 rounds 1993 SHA1 NSA 160 bit 80 rounds 1995 40

Practice (third millennium) name author word (bits) length (bits) rounds year SHA-256 NSA 32 256 64 2002 SHA-384 NSA 64 384 80 2002 SHA-512 NSA 64 512 80 2002 Whirlpool Barreto, Rijmen 512 10 2003 41

Speed In CPU cycles/byte on PIII: MD5 3.7 SHA1 8.3 SHA-256 21 SHA-512 40 Whirlpool 36 42

Attacks on MD4-MD5 hash author type complexity year Dobbertin collision 2 22 1996 MD4 Wang et al. collision 2 8 2005 dan Boer & Bosselaers pseudocollision 2 16 1993 MD5 Dobbertin free-start (chosen IV) 2 34 1996 Wang & Yu collision 2 39 2005 43

Attacks on MD4-MD5 hash author type complexity year Dobbertin collision 2 22 1996 MD4 Wang et al. collision 2 8 2005 dan Boer & Bosselaers pseudocollision 2 16 1993 MD5 Dobbertin free-start (chosen IV) 2 34 1996 Wang & Yu collision 2 39 2005 44

Attack on SHA-0,1 hash author type complexity year Chabaud & Joux collision 2 61 (theory) 1998 Biham & Chen near-collision 2 56 2004 SHA0 Biham et al. collision 2 51 2005 Wang et al. collision 2 39 2005 Biham et al. collision (40 rounds) 2005 SHA1 Wang et al. collision (58 rounds) 2 33 2005 Wang et al. collision 2 63 (theory) 2005 45

Detailed structure of MD4 M 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b c d Round 1 Round 2 Round 3 + + + + 46

Detailed structure of MD4 a b c d + <<<s 0 + <<<s 1 + <<<s 2 F t F t F t F M 0 M 1 M 2 M 47

Introducing differentials M 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b c d Round 1 Round 2 Round 3 + + + + 48

Outline Hash functions: Definitions Constructions Attacks What to do 49

What is safe? Entropy extraction Randomization Cryptography Signatures Authentication 50

Entropy extraction Scenario I: H(g ab ) Scenario II: IP, time, name,... GUID 51

Randomization Pair-wise independent functions (Wegman & Carter): f(x) = ax+b mod N probability f(x 1 )=f(x 2 ) equals 1/N f(x) = a k x k +a k-1 x k-1 + + a 1 x+a 0 mod N 52

Randomization Scenario: hash-table 3 12 78 40 67 15 a, b, c - random H(x) = ax 2 +bx+c mod N 53

Cryptography Authentication Alice M H K (M) shared key K Bob Eve: M 1, H K (M 1 ), M 2, H K (M 2 ) M, H K (M) 54

Cryptography Authentication UMAC John Black, Shai Halevi, Hugo Krawczyk, Ted Krovetz, and Phillip Rogaway, 1999 RFC: under way for long messages ~1.5 cycle/byte 55

Cryptography Signatures theory: target-collision resistance practice: SHA1, SHA256, SHA512, Whirlpool Protocols, constructions?????? 56

Target-collision resistance H k (M) Eve: x Alice k y H k (x)=h k (y) 57

Signing using TCR hashes H k (M) TCR To sing M: 1. Generate k 2. Sign k H k (M) Attack? Find N so that k H k (M) = k H k (N) 58

Questions? 59

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback