ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Similar documents
ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Week 12: Hash Functions and MAC

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Foundations of Network and Computer Security

Foundations of Network and Computer Security

Introduction to Information Security

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Introduction to Cryptography

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Introduction to Cryptography Lecture 4

Leftovers from Lecture 3

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

CPSC 467: Cryptography and Computer Security

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Attacks on hash functions: Cat 5 storm or a drizzle?

Notes for Lecture 9. 1 Combining Encryption and Authentication

Lecture 10: NMAC, HMAC and Number Theory

Foundations of Network and Computer Security

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

2: Iterated Cryptographic Hash Functions

Breaking H 2 -MAC Using Birthday Paradox

Cryptographic Hash Functions Part II

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Message Authentication Codes (MACs)

Lecture 1. Crypto Background

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Asymmetric Encryption

Lecture 10: NMAC, HMAC and Number Theory

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Second Preimages for Iterated Hash Functions and their Implications on MACs

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Lecture 10 - MAC s continued, hash & MAC

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Introduction Description of MD5. Message Modification Generate Messages Summary

Avoiding collisions Cryptographic hash functions. Table of contents

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

12 Hash Functions Defining Security

1 Cryptographic hash functions

Exam Security January 19, :30 11:30

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Historical cryptography. cryptography encryption main applications: military and diplomacy

Avoiding collisions Cryptographic hash functions. Table of contents

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

5199/IOC5063 Theory of Cryptology, 2014 Fall

Cryptographic Hash Functions

Authentication. Chapter Message Authentication

Crypto Engineering (GBX9SY03) Hash functions

Lecture 14: Cryptographic Hash Functions

An introduction to Hash functions

Symmetric Crypto Systems

Lecture 10: HMAC and Number Theory

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

SMASH - A Cryptographic Hash Function

Question: Total Points: Score:

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Message Authentication Codes (MACs) and Hashes

1 Cryptographic hash functions

SMASH - A Cryptographic Hash Function

Lecture 1: Introduction to Public key cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Public-key Cryptography: Theory and Practice

Perfectly-Crafted Swiss Army Knives in Theory

Symmetric Crypto Systems

New Attacks on the Concatenation and XOR Hash Combiners

Attacks on hash functions. Birthday attacks and Multicollisions

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Analysis of SHA-1 in Encryption Mode

Chapter 5. Hash Functions. 5.1 The hash function SHA1

HASH FUNCTIONS 1 /62

Further progress in hashing cryptanalysis

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

New Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Number theory (Chapter 4)

Introduction to Modern Cryptography Lecture 5

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Beyond the MD5 Collisions

New Proofs for NMAC and HMAC: Security without Collision-Resistance

HASH FUNCTIONS. Mihir Bellare UCSD 1

A Composition Theorem for Universal One-Way Hash Functions

SPCS Cryptography Homework 13

A Pseudo-Random Encryption Mode

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Foundations of Network and Computer Security

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

CPSC 467b: Cryptography and Computer Security

Transcription:

ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park

Slides adjusted from: http://dziembowski.net/teaching/biss09/ 2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Some practictioners don t like the CBC-MAC What do you want to use instead? We don t want to authenticate using the block ciphers! Hash functions! Why? Because they are more efficient 3

Another idea for authenticating long messages F k (h(m)) k a block cipher F k h(m) a hash function h long m 4

How to formalize it? We need to define what is a hash function. The basic property that we require is: collision resistance

Collision-resistant hash functions short H(m) a hash function H : {0,1}* {0,1} L long m collision-resistance a collision Requirement: it should be hard to find a pair (m,m ) such that H(m) =H(m ) 6

Collisions always exist m domain range m Since the domain is larger than the range the collisions have to exist. 7

Practical definition H is a collision-resistant hash function if it is practically impossible to find collisions in H. Popular hash funcitons: MD5 (now considered broken) SHA1... 8

A common method for constructing hash functions 1. Construct a fixed-input-length collision-resistant hash function L h(m) h : {0,1} 2 L {0,1} L Call it: a collision-resistant compression 2 L function. 2. Use it to construct a hash function. m 9

An idea t pad with zeroes if needed m 0000 m 1 m 2... m B m i є {0,1} L IV h h... h H(m) can be arbitrary This doesn t work... 10

Why is it wrong? t m 0000 m 1 m... 2 m B If we set m = m 0000 then H(m ) = H(m). Solution: add a block encoding t. t m 0000... m 1 m 2 m B m B+1 := t 11

Merkle-Damgård transform given h : {0,1} 2L {0,1} L we construct H : {0,1}* {0,1} L t doesn t need to be know in advance (nice!) m 0000 m 1 m 2 m B m B+1 := t m i є {0,1} L IV... h h h h H(m) 12

This construction is secure We would like to prove the following: Theorem If h : {0,1} 2L {0,1} L is a collision-resistant compression function then H : {0,1}* {0,1} L is a collision-resistant hash function. 13

Let s prove it: How to compute a collision (x,y) in h from a collision (m,m ) in H? We consider two options: 1. m = m 2. m m 14

Option 1: m = m t m 0000 m 1 m 2 m B m B+1 := t t m 0000 m 1 m 2 m B m B+1 := t 15

m = m Some notation: m 0000 m 1 m 2 m B m B+1 := t IV h h h h z 1 z 3 z B+1 z 2... z B H(m) 16

m = m For m : m 0000 m 1 m 2 m B m B+1 := t IV h h h h z 1 z 2 z 3 z B z B+1... H(m ) 17

z B+2 =H(m) equal z B+2 =H(m ) m B+1 z B+1 m B+1 z B+1 m B z B m B z B...... z 3 z 3 m 2 z 2 not equal m 2 z 2 m 1 z 1 = IV m 1 z 1 = IV 18

z B+2 =H(m) equal z B+2 =H(m ) m B+1 z B+1 m B+1 z B+1 m B z B Let i* be the least i such that m B z B... (m i,z i ) = (m i,z i )... m 2 z 2 (because m m such an i* > 1 always exists!) m 2 z 2 m 1 z 1 = IV m 1 z 1 = IV 19

So, we have found a collision! z i* equal z i* h h m i*-1 z i*-1 not equal m i*-1 z i*-1 20

Option 2: m m H(m) equal H(m ) m B+1 z B+1 m B +1 z B +1...... the last block encodes the length on the message so these values cannot be equal! So, again we have found a collision! 21

Generic attacks on hash functions Remember the brute-force attacks on the encryption schemes? For the hash functions we can do something slightly smarter... It is called a birthday attack. 22

The birthday paradox Suppose we have a random function H : A B Take n values x 1,...,x n Let p(n) be the probability that there exist distinct i,j such that H(x i ) = H(x j ). If n B then trivially p(n) = 1. Question: How large n needs to be to get p(n) = 1/2 Answer: n» B 23

Why is it called a birthday paradox? Set: H : people birthdays Q: How many random people you need to take to know that with probability 0.5 at least 2 of them have birthday on the same day? A: 23 is enough! Counterintuitive... 24

How does the birthday attack work? For a hash function H : {0,1}* {0,1} L Take a random X a subset of {0,1} 2L, such that X = 2 L/2. With probability around 0.5 there exists x,x є X, such that H(x) = H(x ). A pair (x,x ) can be found in time O( X log X ) and space O( X ). Moral L has to be such that an attack that needs 2 L/2 steps is infeasible. 25

Find collisions for crypto-hashes? The brute-force birthday attack aims at finding a collision for a cryptographic function h with domain [1,2,,m] Randomly generate a sequence of plaintexts X 1, X 2, X 3, For each X i compute y i = h(x i ) and test whether y i = y j for some j < i Stop as soon as a collision has been found If there are m possible hash values, the probability that the i-th plaintext does not collide with any of the previous i -1 plaintexts is 1 - (i - 1)/m The probability F k that the attack fails (no collisions) after k plaintexts is Using the standard approximation 1 - x» e -x F k = (1-1/m) (1-2/m) (1-3/m) (1 - (k - 1)/m) F k» e -(1/m + 2/m + 3/m + + (k-1)/m) = e -k(k-1)/2m The attack succeeds with probability p when F k = 1 p, that is, For p=1/2 e -k(k-1)/2m = 1 p k» 1.17 m ½ For m = 365, p=1/2, k is around 24

Birthday attack

Concrete functions MD5, SHA-1, SHA-256,...... all use (variants of) Merkle-Damgård transformation. Hash functions can also be constructed using the number theory. 28

MD5 (Message-Digest Algorithm 5) output length: 128 bits, designed by Rivest in 1991, in 1996, Dobbertin found collisions in the compresing function of MD5, in 2004 a group of Chinese mathematicians designed a method for finding collisions in MD5, there exist a tool that finds collisions in MD5 with a speed 1 collision / minute (on a laptop-computer) Is MD5 completely broken? The attack would be practical if the colliding documents made sense... In 2005 A. Lenstra, X. Wang, and B. de Weger found X.509 certificates with different public keys and the same MD5 hash. 29

SHA-1 (Secure Hash Algorithm) output length: 160 bits, designed in 1993 by the NSA, in 2005 Xiaoyun Wang, Andrew Yao and Frances Yao presented an attack that runs in time 2 63. Still rather secure, but new hash algorithms are needed! A US National Institute of Standards and Technology is currently running a competition for a new hash algorithm. 30

Applications: Online Bid Example Suppose Alice, Bob, Charlie are bidders Alice plans to bid A, Bob B and Charlie C They do not trust that bids will be secret Nobody willing to submit their bid Solution? Alice, Bob, Charlie submit hashes h(a),h(b),h(c) All hashes received and posted online Then bids A, B and C revealed Hashes do not reveal bids (which property?) Cannot change bid after hash sent (which property?)

Online Bid This protocol is not secure! A forward search attack is possible Bob computes h(a) for likely bids A How to prevent this? Alice computes h(a,r), R is random Then Alice must reveal A and R Bob cannot try all A and R

Applications: Securing storage Bob has files f1,f2,,fn Bob sends to Amazon S3 the hashes h(r f1),h(r f2),,h(r fn) The files f1,f2,,fn Bob stores randomness r (and keeps it secret) Every time Bob reads a file f1, he also reads h(r fi) and verifies Any problems with writes?

SHA-2 overview

What the industry says about the hash and authenticate method? the block cipher is still there... Why don t we just hash a message together with a key: MAC k (m) = H(k m)? It s not secure! 35

Suppose H was constructed using the MDtransform MAC k (m t) MAC k (m) t + L MAC k (m) t z B t z B m z 2 m z 2 k IV k IV L 36

A better idea M. Bellare, R. Canetti, and H. Krawczyk (1996): NMAC (Nested MAC) HMAC (Hash based MAC) have some provable properties They both use the Merkle-Damgård transform. Again, let h : {0,1} 2L {0,1} L be a compression function. 37

NMAC m 0000 m 1 m B m B+1 := m k 1 h... h h k 2 h NMAC (k1,k2) (m) 38

Looks better, but 1. our libraries do not permit to change the IV 2. the key is too long: (k 1,k 2 ) HMAC is the solution! 39

HMAC k xor ipad m 1 m B+1 := m ipad = 0x36 repeated opad = 0x5C repeated IV h h... h IV h h HMAC k (m) k xor opad 40

HMAC the properties Looks complicated, but it is very easy to implement (given an implementation of H): HMAC k (m) = H((k xor opad) H(k xor ipad m)) It has some provable properties (slightly weaker than NMAC). Widely used in practice. We like it! 41

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback