Foundations of Network and Computer Security

Similar documents
Foundations of Network and Computer Security

Foundations of Network and Computer Security

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Introduction to Information Security

Leftovers from Lecture 3

Week 12: Hash Functions and MAC

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

ECS 189A Final Cryptography Spring 2011

Introduction to Cryptography Lecture 4

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Foundations of Network and Computer Security

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Message Authentication Codes (MACs)

Message Authentication. Adam O Neill Based on

Notes for Lecture 9. 1 Combining Encryption and Authentication

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

MESSAGE AUTHENTICATION 1/ 103

Introduction to Cryptography

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

CPSC 467: Cryptography and Computer Security

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

Lecture 10: NMAC, HMAC and Number Theory

Lecture 14: Cryptographic Hash Functions

CPSC 467: Cryptography and Computer Security

Beyond the MD5 Collisions

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Further progress in hashing cryptanalysis

Lecture 1. Crypto Background

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Lecture 10 - MAC s continued, hash & MAC

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Avoiding collisions Cryptographic hash functions. Table of contents

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

1 Cryptographic hash functions

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Attacks on hash functions: Cat 5 storm or a drizzle?

1 Cryptographic hash functions

Cryptographic Hash Functions

Message Authentication Codes (MACs) and Hashes

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Some Attacks on Merkle-Damgård Hashes

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Lecture 10: NMAC, HMAC and Number Theory

Lecture 1: Introduction to Public key cryptography

Question 1. The Chinese University of Hong Kong, Spring 2018

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Security without Collision-Resistance

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Crypto Engineering (GBX9SY03) Hash functions

Exam Security January 19, :30 11:30

Lecture 18: Message Authentication Codes & Digital Signa

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

An introduction to Hash functions

STRIBOB : Authenticated Encryption

2: Iterated Cryptographic Hash Functions

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Cryptographical Security in the Quantum Random Oracle Model

Authentication. Chapter Message Authentication

Introduction to Cybersecurity Cryptography (Part 4)

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Digital Signatures. Adam O Neill based on

Introduction to Cybersecurity Cryptography (Part 4)

CPSC 467b: Cryptography and Computer Security

Public Key Cryptography

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

New Proofs for NMAC and HMAC: Security without Collision-Resistance

HASH FUNCTIONS 1 /62

Cryptographic Hash Functions Part II

New Attacks on the Concatenation and XOR Hash Combiners

Limits on the Efficiency of One-Way Permutation-Based Hash Functions

2 Message authentication codes (MACs)

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

A Composition Theorem for Universal One-Way Hash Functions

The Security of Abreast-DM in the Ideal Cipher Model

Solution of Exercise Sheet 7

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Introduction to Modern Cryptography Lecture 5

Lecture 10: HMAC and Number Theory

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Attacks on hash functions. Birthday attacks and Multicollisions

On High-Rate Cryptographic Compression Functions

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

12 Hash Functions Defining Security

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Asymmetric Encryption

Transcription:

Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005

Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps people still in class but are intending to drop?! Please do this by end of today

The Big (Partial) Picture Second-Level Protocols (Can do proofs) SSH, SSL/TLS, IPSec Electronic Cash, Electronic Voting First-Level Protocols (Can do proofs) Symmetric Encryption MAC Schemes Asymmetric Encryption Digital Signatures Primitives Block Ciphers Stream Ciphers Hash Functions Hard Problems (No one knows how to prove security; make assumptions)

Symmetric Authentication: The Intuitive Model Here s the intuition underlying the authentication model: Alice and Bob have some shared, random string K They wish to communicate over some insecure channel An active adversary is able to eavesdrop and arbitrarily insert packets into the channel Alice Adversary Bob Key K Key K

Authentication: The Goal Alice and Bob s Goal: Alice wishes to send packets to Bob in such a way that Bob can be certain (with overwhelming probability) that Alice was the true originator Adversary s Goal: The adversary will listen to the traffic and then (after some time) attempt to impersonate Alice to Bob If there is a significant probability that Bob will accept the forgery, the adversary has succeeded

The Solution: MACs The cryptographic solution to this problem is called a Message Authentication Code (MAC) A MAC is an algorithm which accepts a message M, a key K, and possibly some state (like a nonce N), and outputs a short string called a tag M K N MAC tag = MAC K (M, N)

MACs (cont) Alice computes tag = MAC K (M, N) and sends Bob the message (M, N, tag) Bob receives (M, N, tag ) and checks if MAC K (M, N ) == tag If YES, he accepts M as authentic If NO, he rejects M as an attempted forgery Note: We said nothing about privacy here! M might not be encrypted (M, N, tag ) Bob?? MAC K (M, N ) == tag Y ACCEPT N REJECT

Security for MACs The normal model is the ACMA model Adaptive Chosen-Message Attack Adversary gets a black-box called an oracle Oracle contains the MAC algorithm and the key K Adversary submits messages of his choice and the oracle returns the MAC tag After some reasonable number of queries, the adversary must forge To forge, the adversary must produce a new message M * along with a valid MAC tag for M * If no adversary can efficiently forge, we say the MAC is secure in the ACMA model

Building a MAC with a Blockcipher Let s use AES to build a MAC A common method is the CBC MAC: CBC MAC is stateless (no nonce N is used) Proven security in the ACMA model provided messages are all of once fixed length Resistance to forgery quadratic in the aggregate length of adversarial queries plus any insecurity of AES Widely used: ANSI X9.19, FIPS 113, ISO 9797-1 M 1 M 2 M m AES K AES K AES K tag

CBC MAC notes Just like CBC mode encryption except: No IV (or equivalently, IV is 0 n ) We output only the last value Not parallelizable Insecure if message lengths vary

Breaking CBC MAC If we allow msg lengths to vary, the MAC breaks To forge we need to do some (reasonable) number of queries, then submit a new message and a valid tag Ask M 1 = 0 n We re done! we get t = AES K (0 n ) back We announce that M * = 0 n t has tag t as well (Note that A B denotes the concatenation of strings A and B)

Varying Message Lengths: XCBC There are several well-known ways to overcome this limitation of CBC MAC XCBC, is the most efficient one known, and is provablysecure (when the underlying block cipher is computationally indistinguishable from random) Uses blockcipher key K1 and needs two additional n-bit keys K2 and K3 which are XORed in just before the last encipherment A proposed NIST standard (as CMAC ) M 1 M 2 M m K2 if n divides M K3 otherwise AES K1 AES K1 AES K1 tag

UMAC: MACing Faster In many contexts, cryptography needs to be as fast as possible High-end routers process > 1Gbps High-end web servers process > 1000 requests/sec But AES (a very fast block cipher) is already more than 15 cycles-per-byte on a PPro Block ciphers are relatively expensive; it s possible to build faster MACs UMAC is roughly ten times as fast as current practice

UMAC follows the Wegman-Carter Paradigm Since AES is (relatively) slow, let s avoid using it unless we have to Wegman-Carter MACs provide a way to process M first with a non-cryptographic hash function to reduce its size, and then encrypt the result Message M hash key hash function hash(m) encryption key encrypt tag

The Ubiquitous HMAC The most widely-used MAC (IPSec, SSL, many VPNs) Doesn t use a blockcipher or any universal hash family Instead uses something called a collision resistant hash function H Sometimes called cryptographic hash functions Keyless object more in a moment HMAC K (M) = H(K opad H(K ipad M)) opad is 0x36 repeated as needed ipad is 0x5C repeated as needed

Notes on HMAC Fast Faster than CBC MAC or XCBC Slow Because these crypto hash functions are fast Slower than UMAC and other universal-hash-family MACs Proven security But these crypto hash functions have recently been attacked and may show further weaknesses soon

What are cryptographic hash functions? A cryptographic hash function takes a message from {0,1} * and produces a fixed size output Output is called hash or digest or fingerprint There is no key The most well-known are MD5 and SHA-1 but there are other options MD5 outputs 128 bits SHA-1 outputs 160 bits Message % md5 Hello There ^D A82fadb196cba39eb884736dcca303a6 % Output Hash Function e.g., MD5,SHA-1

512 bits SHA-1... M 1 M 2 M m for i = 1 to m do W t = { t-th word of M i 0 t 15 ( W t-3 W t-8 W t-14 W t-16 ) << 1 16 t 79 A H 0 ; B H 1 ; C H 2 ; D H 3 ; E H 4 for t = 1 to 80 do T A << 5 + g t (B, C, D) + E + K t + W t E D; D C; C B >> 2; B A; A T end H 0i A + H 0 ; H 1i B + H 1 ; H 2i C+ H 2 ; H 3i D + H 3 ; H 4i E + H 4 end return H 0m H 1m H 2m H 3m H 4 m 160 bits

Real-world applications Hash functions are pervasive Message authentication codes (HMAC) Digital signatures (hash-and-sign) File comparison (compare-by-hash, eg, RSYNC) Micropayment schemes Commitment protocols Timestamping Key exchange...

A cryptographic property (quite informal) 1. Collision resistance given a hash function it is hard to find two colliding inputs M H BAD: H(M) = M mod 701 M H {0,1} n Strings

More cryptographic properties 1. Collision resistance given a hash function it is hard to find two colliding inputs 2. Second-preimage given a hash function and resistance given a first input, it is hard to find a second input that collides with the first 3. Preimage resistance given a hash function and given an hash output it is hard to invert that output

Merkle-Damgard construction Compression function M 1 M 2 M 3 IV n k f h 1 f h 2 f h 3 = H (M) k Fixed initial value Chaining value MD Theorem: if f is CR, then so is H

M 1 M 2 M m M i 512 bits... for i = 1 to m do W t = { t-th word of M i 0 t 15 ( W t-3 W t-8 W t-14 W t-16 ) << 1 16 t 79 A H 0 ; B H 1 ; C H 2 ; D H 3 ; E H 4 for t = 1 to 80 do 160 bits H 0..4 end T A << 5 + g t (B, C, D) + E + K t + W t E D; D C; C B >> 2; B A; A T H 0i A + H 0 ; H 1i B + H 1 ; H 2i C+ H 2 ; H 3i D + H 3 ; H 4i E + H 4 end return H 0m H 1m H 2m H 3m H 4 m 160 bits 160 bits

Hash Function Security Consider best-case scenario (random outputs) If a hash function output only 1 bit, how long would we expect to avoid collisions? Expectation: 1 0 + 2 ½ + 3 ½ = 2.5 What about 2 bits? Expectation: 1 0 + 2 ¼ + 3 ¾ ½ + 4 ¾ ½ ¾ + 5 ¾ ½ ¼ 3.22 This is too hard

Birthday Paradox Need another method Birthday paradox: if we have 23 people in a room, the probability is > 50% that two will share the same birthday Assumes uniformity of birthdays Untrue, but this only increases chance of birthday match Ignores leap years (probably doesn t matter much) Try an experiment with the class

Birthday Paradox (cont) Let s do the math Let n equal number of people in the class Start with n = 1 and count upward Let NBM be the event that there are No-Birthday-Matches For n=1, Pr[NBM] = 1 For n=2, Pr[NBM] = 1 364/365.997 For n=3, Pr[NBM] = 1 364/365 363/365.991 For n=22, Pr[NBM] = 1 344/365.524 For n=23, Pr[NBM] = 1 343/365.493 Since the probability of a match is 1 Pr[NBM] we see that n=23 is the smallest number where the probability exceeds 50%

Occupancy Problems What does this have to do with hashing? Suppose each hash output is uniform and random on {0,1} n Then it s as if we re throwing a ball into one of 2 n bins at random and asking when a bin contains at least 2 balls This is a well-studied area in probability theory called occupancy problems It s well-known that the probability of a collision occurs around the square-root of the number of bins If we have 2 n bins, the square-root is 2 n/2

Birthday Bounds This means that even a perfect n-bit hash function will start to exhibit collisions when the number of inputs nears 2 n/2 This is known as the birthday bound It s impossible to do better, but quite easy to do worse It is therefore hoped that it takes Ω(2 64 ) work to find collisions in MD5 and Ω(2 80 ) work to find collisions in SHA-1

The Birthday Bound 1.0 Probability 0.5 0.0 2 n/2 2 n Number of Hash Inputs

Latest News At CRYPTO 2004 (August) Collisions found in HAVAL, RIPEMD, MD4, MD5, and SHA-0 (2 40 operations) Wang, Feng, Lai, Yu Only Lai is well-known HAVAL was known to be bad Dobbertin found collisions in MD4 years ago MD5 news is big! CU team has lowered time-to-collision to 3 mins (July 2005) SHA-0 isn t used anymore (but see next slide)

Collisions in SHA-0 M 1, M 1 not in SHA-0 W t = { t-th word of M i 0 t 15 ( W t-3 W t-8 W t-14 W t-16 ) << 1 16 t 79 A H 0 ; B H 1 ; C H 2 ; D H 3 ; E H 4 65 for t = 1 to 80 do H 0..4 end T A << 5 + g t (B, C, D) + E + K t + W t E D; D C; C B >> 2; B A; A T H 0i Α + H 0 ; H 1i A + H 1 ; H 2i C+ H 2 ; H 3i D + H 3 ; H 4i E + H 4 Collision!

What Does this Mean? Who knows Methods are not yet understood Will undoubtedly be extended to more attacks Maybe nothing much more will happen But maybe everything will come tumbling down?! But we have OTHER ways to build hash functions

A Provably-Secure Blockcipher-Based Compression Function M i n bits h n bits E h i n bits

The Big (Partial) Picture Second-Level Protocols (Can do proofs) SSH, SSL/TLS, IPSec Electronic Cash, Electronic Voting First-Level Protocols (Can do proofs) Symmetric Encryption MAC Schemes Asymmetric Encryption Digital Signatures Primitives Block Ciphers Stream Ciphers Hash Functions Hard Problems (No one knows how to prove security; make assumptions)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback